Jan — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/jan/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 02 May 2024 14:22:30 +0000GenAI Process Connection to Unusual Domain on macOShttps://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/Thu, 02 May 2024 14:22:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.This threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule 9050506c-df6d-4bdf-bc82-fcad0ef1e8c1 focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.

Attack Chain

  1. Adversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.
  2. The compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.
  3. The GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).
  4. The macOS system’s network stack resolves the attacker’s domain to its corresponding IP address.
  5. The GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.
  6. The attacker uses the C2 channel to send commands to the compromised GenAI tool.
  7. The GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.

Impact

Compromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization’s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.

Recommendation

  • Deploy the Sigma rule “GenAI Process Connecting to Unusual Domain” to your SIEM and tune for your environment (see rule below).
  • Enable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process’s behavior.
  • Block any identified malicious domains at the network level (see query in the provided source).
  • Review the GenAI tool’s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.
  • Regularly update the list of allowed domains in the Sigma rule’s filter to account for legitimate updates to GenAI tool infrastructure.
]]>mediumadvisorygenaicommand and controlmacosnetwork connection