Skip to content
Threat Feed
medium advisory

Unusual Modification of GenAI Tool Configuration File

This rule detects unusual modifications to GenAI tool configuration files, potentially indicating an attacker injecting malicious MCP server configurations to hijack AI agents for persistence, command and control, or data exfiltration.

This detection identifies suspicious modifications to configuration files associated with Generative AI (GenAI) tools such as Cursor, Claude, Copilot, and Ollama. Attackers may attempt to inject malicious Model Context Protocol (MCP) server configurations into these files. This allows them to hijack AI agents for various malicious purposes, including persistence, establishing command and control (C2) channels, or exfiltrating sensitive data. The attack vectors can include direct modification via malware or compromised scripts, supply chain attacks through tainted dependencies, and prompt injection attacks where the GenAI tool is manipulated into altering its own settings. Successful modification allows unauthorized MCP servers to execute arbitrary commands upon subsequent invocations of the affected AI tool. The timeframe for detection looks back 9 months.

Attack Chain

  1. Initial Compromise: An attacker gains initial access via malware, compromised scripts, or supply chain vulnerabilities targeting GenAI development environments.
  2. Configuration Discovery: The attacker identifies the location of GenAI tool configuration files, such as .cursor/mcp.json, .claude/, or .config/github-copilot/.
  3. Malicious Modification: The attacker modifies the configuration file, injecting a malicious MCP server URL or unauthorized plugin configurations. This could be achieved through direct file modification using scripting tools, or via prompt injection techniques.
  4. Persistence via MCP: The attacker leverages the injected malicious MCP server for persistence. The GenAI tool will load the attacker's server on next invocation.
  5. Command and Control: The injected MCP server establishes a command and control (C2) channel, allowing the attacker to remotely control the compromised AI agent.
  6. Data Exfiltration or Code Execution: Once the MCP server is running, the attacker executes arbitrary commands or exfiltrates sensitive data via the compromised AI agent. This data can include API keys, proprietary code, or customer data accessible by the GenAI tool.
  7. Lateral Movement: The attacker uses the compromised GenAI tool as a pivot point to move laterally within the network, accessing other sensitive systems or data.

Impact

A successful attack can lead to the compromise of sensitive data handled by the GenAI tool, including API keys, source code, and user data. The attacker could also use the compromised AI agent for persistence, allowing them to maintain a foothold within the targeted environment. Successful exploitation could lead to significant data breaches, intellectual property theft, and reputational damage. The rule's description mentions the Cybereason blog on weaponized AI and MCPs, noting it being used for account takeover.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect unusual processes modifying GenAI configuration files based on the file paths specified in the file.path field of the rule.
  • Investigate any alerts generated by the Sigma rule by examining the modifying process's origin, parent process tree, and network connections.
  • Monitor file integrity using tools like Sysmon or auditd on the GenAI configuration file paths to detect unauthorized modifications.
  • Implement network-level blocking for any unauthorized MCP server URLs discovered in compromised configuration files.
  • Rotate any potentially exposed API keys or credentials that may have been compromised through the GenAI configuration files.

Detection coverage 3

Detect Unusual Process Modifying GenAI Configuration File - Generic

medium

Detects processes not normally associated with GenAI tools modifying their configuration files.

sigma tactics: defense_evasion, persistence techniques: T1556 sources: file_event, windows

Detect Suspicious Process Modifying GenAI Configuration File - Specific Paths

medium

Detects file modification events on specific GenAI configuration file paths.

sigma tactics: defense_evasion, persistence techniques: T1556 sources: file_event, windows

Detect process executable changing the config file

medium

Detects processes not normally associated with GenAI tools modifying their configuration files by inspecting the `process.executable` field.

sigma tactics: defense_evasion, persistence techniques: T1556 sources: file_event, windows

Detection queries are available on the platform. Get full rules →