@@ -13,7 +13,7 @@ and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests h
1313configs (.bashrc, .zshrc) indicate persistence attempts.
1414"""
1515from = " now-9m"
16- index = [" logs-endpoint.events.*"
16+ index = [" logs-endpoint.events.file *"
1717language = " eql"
1818license = " Elastic License v2"
1919name = " GenAI Process Accessing Sensitive Files"
@@ -77,8 +77,7 @@ type = "eql"
7777query = '''
7878file where event.action in ("open", "creation", "modification") and event.outcome == "success" and
7979
80- // GenAI process or child of GenAI process
81- (
80+ // GenAI process
8281 process.name in (
8382 "ollama.exe", "ollama", "Ollama",
8483 "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
@@ -95,57 +94,35 @@ file where event.action in ("open", "creation", "modification") and event.outcom
9594 "qwen.exe", "qwen",
9695 "koboldcpp.exe", "koboldcpp", "KoboldCpp",
9796 "llama-server", "llama-cli"
98- ) or
99- process.parent.name in (
100- "ollama.exe", "ollama", "Ollama",
101- "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
102- "lmstudio.exe", "lmstudio", "LM Studio",
103- "claude.exe", "claude", "Claude",
104- "cursor.exe", "cursor", "Cursor", "Cursor Helper", "Cursor Helper (Plugin)",
105- "copilot.exe", "copilot", "Copilot",
106- "codex.exe", "codex",
107- "Jan", "jan.exe", "jan", "Jan Helper",
108- "gpt4all.exe", "gpt4all", "GPT4All",
109- "gemini-cli.exe", "gemini-cli",
110- "genaiscript.exe", "genaiscript",
111- "grok.exe", "grok",
112- "qwen.exe", "qwen",
113- "koboldcpp.exe", "koboldcpp", "KoboldCpp",
114- "llama-server", "llama-cli"
115- )
116- ) and
97+ ) and
11798
11899 // Sensitive file paths
119100 (
120- // Cloud credentials
121- file.path like~ ("*/.aws/credentials*", "*/.aws/config*", "*/.azure/*", "*/.config/gcloud/*") or
122- // SSH keys and config
123- file.path like~ ("*/.ssh/id_*", "*/.ssh/config*", "*/.ssh/known_hosts*", "*/.ssh/authorized_keys*") or
124- // Shell configs (persistence)
125- file.path like~ ("*/.bashrc*", "*/.bash_profile*", "*/.zshrc*", "*/.zshenv*", "*/.zprofile*", "*/.profile*", "*/.bash_logout*") or
126- // Browser credentials
127- file.path like~ ("*/Login Data*", "*/Cookies*", "*/Web Data*", "*\\Login Data*", "*\\Cookies*", "*\\Web Data*") or
128- // macOS Keychain
129- file.path like~ ("*/Keychain/*.keychain*", "*/keychains/*.keychain-db*") or
130- // Git credentials
131- file.path like~ ("*/.git-credentials*", "*/.netrc*") or
132- // GPG/PGP keys
133- file.path like~ ("*/.gnupg/*", "*/.pgp/*") or
134- // Docker credentials
135- file.path like~ ("*/.docker/config.json*") or
136- // Kubernetes config
137- file.path like~ ("*/.kube/config*") or
138- // Package manager tokens
139- file.path like~ ("*/.npmrc*", "*/.yarnrc*") or
140- // Python credentials
141- file.path like~ ("*/.pypirc*", "*/pip.conf*") or
142- // GitHub CLI config
143- file.path like~ ("*/.config/gh/*", "*/.config/hub*") or
144- // Password managers
145- file.path like~ ("*1Password*", "*Bitwarden*", "*KeePass*", "*LastPass*") or
146- // Windows credentials
147- file.path like~ ("*\\AppData\\*\\Credentials\\*", "*\\AppData\\*\\Vault\\*")
148- ) and
101+ // Persistence via Shell configs
102+ file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or
103+
104+ // Credentials In Files
105+ file.name like~
106+ ("key?.db",
107+ "logins.json",
108+ "Login Data",
109+ "Local State",
110+ "signons.sqlite",
111+ "Cookies",
112+ "cookies.sqlite",
113+ "Cookies.binarycookies",
114+ "login.keychain-db",
115+ "System.keychain",
116+ "credentials.db",
117+ "credentials",
118+ "access_tokens.db",
119+ "accessTokens.json",
120+ "azureProfile.json",
121+ "RDCMan.settings",
122+ "known_hosts",
123+ "KeePass.config.xml",
124+ "Unattended.xml")
125+ )
149126
150127 // Exclusions
151128 not (
0 commit comments