Mika Ayenson, PhD
f40a383b7e
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
159 lines
6.2 KiB
TOML
159 lines
6.2 KiB
TOML
[metadata]
|
|
creation_date = "2025/12/04"
|
|
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"]
|
|
maturity = "production"
|
|
updated_date = "2025/12/04"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects when GenAI tools spawn compilers or packaging tools to generate executables. Attackers leverage local LLMs to
|
|
autonomously generate and compile malware, droppers, or implants. Python packaging tools (pyinstaller, nuitka, pyarmor)
|
|
are particularly high-risk as they create standalone executables that can be deployed without dependencies. This rule
|
|
focuses on compilation activity that produces output binaries, filtering out inspection-only operations.
|
|
"""
|
|
from = "now-9m"
|
|
index = [
|
|
"logs-endpoint.events.process-*",
|
|
"logs-windows.sysmon_operational-*",
|
|
"logs-m365_defender.event-*",
|
|
"logs-sentinel_one_cloud_funnel.*",
|
|
"logs-auditd_manager.auditd-*",
|
|
]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "GenAI Process Compiling or Generating Executables"
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating GenAI Process Compiling or Generating Executables
|
|
|
|
This rule detects GenAI tools spawning compilers or packaging tools. While developers may use GenAI to write code that they then compile, autonomous compilation by GenAI processes is unusual.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the GenAI process that spawned the compiler to identify which tool is running and verify if it's an expected/authorized tool.
|
|
- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
|
|
- Review the output files created by the compilation process to identify any malicious executables.
|
|
- Check for other alerts or suspicious activity on the same host around the same time.
|
|
- Verify if the GenAI tool is from a trusted source and if it's authorized for use in your environment.
|
|
- Identify whether the generated executables appear in temporary directories often used for malware staging (`%TEMP%`, `/tmp`, `.cache`).
|
|
- Inspect the compiled artifacts for networking imports, credential harvesting functionality, or persistence mechanisms.
|
|
|
|
### False positive analysis
|
|
|
|
- Legitimate development workflows that use GenAI tools for code generation may trigger this rule if they compile the generated code.
|
|
- Some GenAI-assisted coding IDEs (Cursor, Copilot Workspace) may run compilation tasks when testing code; confirm whether the behavior is tied to developer workflow.
|
|
|
|
### Response and remediation
|
|
|
|
- Terminate the GenAI process and any spawned compiler processes to stop the malicious activity.
|
|
- Investigate the compiled executables to determine if they are malicious.
|
|
- Review audit logs to determine the scope of compilation activity and identify any executables that may have been created.
|
|
- Quarantine any compiled binaries; submit suspicious artifacts to sandbox or malware analysis.
|
|
"""
|
|
references = [
|
|
"https://atlas.mitre.org/techniques/AML.T0053",
|
|
"https://www.elastic.co/security-labs/elastic-advances-llm-security",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "b2c3d4e5-f6a7-8901-bcde-f123456789ab"
|
|
severity = "medium"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Linux",
|
|
"OS: macOS",
|
|
"OS: Windows",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Tactic: Defense Evasion",
|
|
"Data Source: Elastic Defend",
|
|
"Data Source: Sysmon",
|
|
"Data Source: Auditd Manager",
|
|
"Data Source: Microsoft Defender for Endpoint",
|
|
"Data Source: SentinelOne",
|
|
"Resources: Investigation Guide",
|
|
"Domain: LLM",
|
|
"Mitre Atlas: T0053",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where event.type == "start" and
|
|
|
|
// GenAI parent process
|
|
(
|
|
process.parent.name in (
|
|
"ollama.exe", "ollama", "Ollama",
|
|
"textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
|
|
"lmstudio.exe", "lmstudio", "LM Studio",
|
|
"claude.exe", "claude", "Claude",
|
|
"cursor.exe", "cursor", "Cursor", "Cursor Helper", "Cursor Helper (Plugin)",
|
|
"copilot.exe", "copilot", "Copilot",
|
|
"codex.exe", "codex",
|
|
"Jan", "jan.exe", "jan", "Jan Helper",
|
|
"gpt4all.exe", "gpt4all", "GPT4All",
|
|
"gemini-cli.exe", "gemini-cli",
|
|
"genaiscript.exe", "genaiscript",
|
|
"grok.exe", "grok",
|
|
"qwen.exe", "qwen",
|
|
"koboldcpp.exe", "koboldcpp", "KoboldCpp",
|
|
"llama-server", "llama-cli"
|
|
) or
|
|
|
|
// Node/Deno with GenAI frameworks
|
|
(process.parent.name in ("node.exe", "node", "deno.exe", "deno") and
|
|
process.parent.command_line like~ ("*mcp-server*", "*@modelcontextprotocol*", "*langchain*", "*autogpt*", "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*")) or
|
|
|
|
// Python with GenAI frameworks
|
|
(process.parent.name like~ "python*" and
|
|
process.parent.command_line like~ ("*langchain*", "*autogpt*", "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*"))
|
|
) and
|
|
|
|
// Compilation tools
|
|
(
|
|
// Python packaging
|
|
process.name in ("pyinstaller", "py2exe", "cx_Freeze", "nuitka", "pyarmor", "pkg") or
|
|
|
|
// C/C++ compilation with output
|
|
(process.name in ("gcc", "g++", "clang", "clang++", "cl.exe") and
|
|
process.command_line like~ "*-o *" and
|
|
process.command_line like~ ("*.c *", "*.c", "*.cpp *", "*.cpp", "*.cc *", "*.cc", "*.m *", "*.m") and
|
|
not process.command_line like~ "*git*") or
|
|
|
|
// Go compilation
|
|
(process.name == "go" and process.args == "build") or
|
|
|
|
// Rust compilation
|
|
(process.name == "cargo" and process.args == "build") or
|
|
(process.name == "rustc" and process.command_line like~ "*-o *") or
|
|
|
|
// .NET compilation
|
|
process.name in ("csc.exe", "vbc.exe", "msbuild.exe") or
|
|
(process.name == "dotnet" and process.args == "build") or
|
|
|
|
// Java compilation
|
|
process.name == "javac"
|
|
)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1027"
|
|
name = "Obfuscated Files or Information"
|
|
reference = "https://attack.mitre.org/techniques/T1027/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1027.004"
|
|
name = "Compile After Delivery"
|
|
reference = "https://attack.mitre.org/techniques/T1027/004/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0005"
|
|
name = "Defense Evasion"
|
|
reference = "https://attack.mitre.org/tactics/TA0005/"
|
|
|