← Back to Explore
elastichighTTP
GenAI Process Accessing Sensitive Files
Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
Detection Query
file where event.action in ("open", "creation", "modification") and event.outcome == "success" and
// GenAI process
(
process.name in (
"ollama.exe", "ollama", "Ollama",
"textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
"lmstudio.exe", "lmstudio", "LM Studio",
"claude.exe", "claude", "Claude",
"cursor.exe", "cursor", "Cursor",
"copilot.exe", "copilot", "Copilot",
"codex.exe", "codex",
"Jan", "jan.exe", "jan",
"gpt4all.exe", "gpt4all", "GPT4All",
"gemini-cli.exe", "gemini-cli",
"genaiscript.exe", "genaiscript",
"grok.exe", "grok",
"qwen.exe", "qwen",
"koboldcpp.exe", "koboldcpp", "KoboldCpp",
"llama-server", "llama-cli"
) or
// OpenClaw/Moltbot/Clawdbot via Node.js
(process.name in ("node", "node.exe") and
process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*"))
) and
// Sensitive file paths
(
// Persistence via Shell configs
file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or
// Credentials In Files
file.name like~
("key?.db",
"logins.json",
"Login Data",
"Local State",
"signons.sqlite",
"Cookies",
"cookies.sqlite",
"Cookies.binarycookies",
"login.keychain-db",
"System.keychain",
"credentials.db",
"credentials",
"access_tokens.db",
"accessTokens.json",
"azureProfile.json",
"RDCMan.settings",
"known_hosts",
"KeePass.config.xml",
"Unattended.xml")
) and not (
host.os.type == "windows" and
process.name : ("claude.exe", "Claude") and
file.path : ("?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State",
"?:\\Users\\*\\AppData\\Local\\Packages\\Claude_*\\LocalCache\\Roaming\\Claude\\Local State")
)
Author
Elastic
Created
2025/12/04
Data Sources
Elastic Defendlogs-endpoint.events.file*
References
- https://atlas.mitre.org/techniques/AML.T0085
- https://atlas.mitre.org/techniques/AML.T0085.001
- https://atlas.mitre.org/techniques/AML.T0055
- https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks
- https://www.elastic.co/security-labs/elastic-advances-llm-security
- https://specterops.io/blog/2025/11/21/an-evening-with-claude-code
Tags
Domain: EndpointOS: LinuxOS: macOSOS: WindowsUse Case: Threat DetectionTactic: CollectionTactic: Credential AccessData Source: Elastic DefendResources: Investigation GuideDomain: LLMMitre Atlas: T0085Mitre Atlas: T0085.001Mitre Atlas: T0055
Raw Content
[metadata]
creation_date = "2025/12/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
description = """
Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or
shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and
tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs
(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "GenAI Process Accessing Sensitive Files"
note = """## Triage and analysis
### Investigating GenAI Process Accessing Sensitive Files
This rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.
### Possible investigation steps
- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.
- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.
- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.
- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.
- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.
- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.
- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.
### False positive analysis
- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.
- Development workflows that use GenAI tools for code analysis may occasionally access credential files.
### Response and remediation
- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.
- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
- Investigate the document access patterns to determine the scope of potential data exfiltration.
- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.
"""
references = [
"https://atlas.mitre.org/techniques/AML.T0085",
"https://atlas.mitre.org/techniques/AML.T0085.001",
"https://atlas.mitre.org/techniques/AML.T0055",
"https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
"https://www.elastic.co/security-labs/elastic-advances-llm-security",
"https://specterops.io/blog/2025/11/21/an-evening-with-claude-code",
]
risk_score = 73
rule_id = "c0136397-f82a-45e5-9b9f-a3651d77e21a"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Collection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
"Domain: LLM",
"Mitre Atlas: T0085",
"Mitre Atlas: T0085.001",
"Mitre Atlas: T0055",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.action in ("open", "creation", "modification") and event.outcome == "success" and
// GenAI process
(
process.name in (
"ollama.exe", "ollama", "Ollama",
"textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
"lmstudio.exe", "lmstudio", "LM Studio",
"claude.exe", "claude", "Claude",
"cursor.exe", "cursor", "Cursor",
"copilot.exe", "copilot", "Copilot",
"codex.exe", "codex",
"Jan", "jan.exe", "jan",
"gpt4all.exe", "gpt4all", "GPT4All",
"gemini-cli.exe", "gemini-cli",
"genaiscript.exe", "genaiscript",
"grok.exe", "grok",
"qwen.exe", "qwen",
"koboldcpp.exe", "koboldcpp", "KoboldCpp",
"llama-server", "llama-cli"
) or
// OpenClaw/Moltbot/Clawdbot via Node.js
(process.name in ("node", "node.exe") and
process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*"))
) and
// Sensitive file paths
(
// Persistence via Shell configs
file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or
// Credentials In Files
file.name like~
("key?.db",
"logins.json",
"Login Data",
"Local State",
"signons.sqlite",
"Cookies",
"cookies.sqlite",
"Cookies.binarycookies",
"login.keychain-db",
"System.keychain",
"credentials.db",
"credentials",
"access_tokens.db",
"accessTokens.json",
"azureProfile.json",
"RDCMan.settings",
"known_hosts",
"KeePass.config.xml",
"Unattended.xml")
) and not (
host.os.type == "windows" and
process.name : ("claude.exe", "Claude") and
file.path : ("?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State",
"?:\\Users\\*\\AppData\\Local\\Packages\\Claude_*\\LocalCache\\Roaming\\Claude\\Local State")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.001"
name = "Credentials In Files"
reference = "https://attack.mitre.org/techniques/T1552/001/"
[[rule.threat.technique]]
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1005"
name = "Data from Local System"
reference = "https://attack.mitre.org/techniques/T1005/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[[rule.threat.technique.subtechnique]]
id = "T1037.004"
name = "RC Scripts"
reference = "https://attack.mitre.org/techniques/T1037/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"