From f123ffa0f838da72e870be876d16495c6a332fcb Mon Sep 17 00:00:00 2001 From: "Mika Ayenson, PhD" Date: Fri, 9 Jan 2026 08:23:03 -0600 Subject: [PATCH] [Rule Tuning] GenAI DR Tuning (#5506) --- ...and_control_genai_process_unusual_domain.toml | 8 +++++--- ...cess_genai_process_sensitive_file_access.toml | 6 +++++- ...efense_evasion_genai_config_modification.toml | 16 +++++++++++----- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml index 348b81d51..a223b3d18 100644 --- a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml +++ b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/01/08" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.category:network and host.os.type:macos and +event.category:network and host.os.type:macos and event.action:connection_attempted and process.name:( Claude or "Claude Helper" or "Claude Helper (Plugin)" or Copilot or Cursor or "Cursor Helper" or "Cursor Helper (Plugin)" or GPT4All or Jan or "Jan Helper" or @@ -95,7 +95,9 @@ process.name:( *.lmstudio.ai or *.microsoft.com or *.mixpanel.com or *.msedge.net or *.npmjs.com or *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or - *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com + *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com or + *.cartocdn.com or *.chatgpt.com or *.ggpht.com or *.recaptcha.net or *.shields.io or + *.travis-ci.com or *.travis-ci.org or *.ytimg.com or flagcdn.com or opencollective.com )) ''' diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml index 791e60ebd..8b44d6a9b 100644 --- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml +++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/01/08" [rule] author = ["Elastic"] @@ -123,6 +123,10 @@ file where event.action in ("open", "creation", "modification") and event.outcom "known_hosts", "KeePass.config.xml", "Unattended.xml") + ) and not ( + host.os.type == "windows" and + process.name : ("claude.exe", "Claude") and + file.path : "?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State" ) ''' diff --git a/rules/cross-platform/defense_evasion_genai_config_modification.toml b/rules/cross-platform/defense_evasion_genai_config_modification.toml index 6a48e7cb5..488888e9a 100644 --- a/rules/cross-platform/defense_evasion_genai_config_modification.toml +++ b/rules/cross-platform/defense_evasion_genai_config_modification.toml @@ -2,7 +2,7 @@ creation_date = "2025/12/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2026/01/08" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ note = """## Triage and analysis ### Investigating Unusual Process Modifying GenAI Configuration File -Configuration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities. +Configuration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities. ### Possible investigation steps @@ -36,9 +36,10 @@ Configuration files for GenAI tools like Cursor, Claude, Copilot, and Ollama con ### False positive analysis -- Novel but legitimate configuration changes will trigger this rule when the process/file combination hasn't been seen in 7 days. Review the modified file content to determine legitimacy. +- Novel but legitimate configuration changes will trigger this rule when the process hasn't been seen modifying these files within the configured history window. Review the modified file content to determine legitimacy. - GenAI tool updates may modify config files in new ways; correlate with recent software updates. - IDE extensions integrating with GenAI tools may modify configs as part of initial setup. +- Developer tools (git, go, npm) checking out or downloading projects containing `.gemini/` or `.claude/` directories may trigger alerts. These are project-level configs, not user configs - verify by checking if the path is within a project directory. ### Response and remediation @@ -81,6 +82,13 @@ file.path : ( */.grok/* or */AppData/Roaming/Grok/* or */.windsurf/* or */AppData/Roaming/Windsurf/* or */.vscode/extensions/*mcp* +) and not ( + file.extension : (lck or lock) or + ( + file.path : */.config/github-copilot/* and + file.name : (apps.json or versions.json or copilot*nitrite.db) + + ) ) ''' @@ -116,5 +124,3 @@ value = ["process.executable"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" - -