Loading

Unusual Process Modifying GenAI Configuration File

Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked.

Rule type: new_terms
Rule indices:

  • logs-endpoint.events.file*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Endpoint
  • OS: macOS
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Defense Evasion
  • Tactic: Persistence
  • Data Source: Elastic Defend
  • Resources: Investigation Guide
  • Domain: LLM

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

Configuration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities.

  • Identify the process that modified the configuration file and determine if it's expected (GenAI tool, installer, user action) or suspicious (unknown script, malware).
  • If the modifying process is NOT a GenAI tool, investigate its origin, parent process tree, and whether it was downloaded or executed from a suspicious location.
  • If a GenAI tool made the modification, check recent user prompts or agent activity that may have triggered the config change via prompt injection.
  • Review the contents of the modified configuration file for suspicious MCP server URLs, unauthorized plugins, or unusual agent permissions.
  • Examine the process command line and parent process tree to identify how the modifying process was invoked.
  • Check for other file modifications by the same process around the same time, particularly to other GenAI configs or startup scripts.
  • Investigate whether the GenAI tool subsequently connected to unknown domains or spawned unusual child processes after the config change.
  • Novel but legitimate configuration changes will trigger this rule when the process/file combination hasn't been seen in 7 days. Review the modified file content to determine legitimacy.
  • GenAI tool updates may modify config files in new ways; correlate with recent software updates.
  • IDE extensions integrating with GenAI tools may modify configs as part of initial setup.
  • Review the modified configuration file and revert any unauthorized changes to MCP servers, plugins, or agent settings.
  • If malicious MCP servers were added, block the associated domains at the network level.
  • Review and rotate any API keys or credentials that may have been exposed through the compromised GenAI configuration.
event.category : "file" and event.action : ("modification" or "overwrite") and
file.path : (
    */.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or
    */.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or
    */.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or
    */.ollama/config* or */AppData/Local/Ollama/* or
    */.codex/* or */AppData/Roaming/Codex/* or
    */.gemini/* or */AppData/Roaming/gemini-cli/* or
    */.grok/* or */AppData/Roaming/Grok/* or
    */.windsurf/* or */AppData/Roaming/Windsurf/* or
    */.vscode/extensions/*mcp*
)

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK