https://feed.craftedsignal.io/tags/genai/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 22:46:51 +0000https://feed.craftedsignal.io/briefs/2024-12-15-genai-sensitive-file-access/Fri, 01 May 2026 22:46:51 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-12-15-genai-sensitive-file-access/This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.Attackers are increasingly leveraging GenAI agents to automate the discovery and exfiltration of sensitive information, including credentials, API keys, and tokens stored within files on compromised systems. The observed activity involves GenAI tools accessing critical files such as cloud credentials, SSH keys, browser password databases, and shell configuration files. Successful exploitation allows attackers to harvest credentials, gain unauthorized access to systems, and establish persistence mechanisms for continued access. The GenAI tools mentioned include ollama, textgen, lmstudio, claude, cursor, copilot, codex, jan, gpt4all, gemini-cli, genaiscript, grok, qwen, koboldcpp, llama-server, windsurf, zed, opencode, and goose. This activity highlights the emerging threat landscape of AI-assisted attacks and the need for robust detection and mitigation strategies.

Attack Chain

1. Initial compromise of a system through an unrelated vulnerability or social engineering.
2. Installation or execution of a GenAI tool (e.g., ollama, lmstudio) on the compromised system.
3. The GenAI tool is configured or instructed to scan the file system for sensitive files.
4. The GenAI tool accesses files containing credentials, such as .aws/credentials, browser password databases (Login Data, key3.db), or SSH keys (.ssh/id_*).
5. The GenAI tool exfiltrates the harvested credentials and API keys to a remote server controlled by the attacker.
6. The attacker uses the stolen credentials to gain unauthorized access to cloud resources, internal systems, or other sensitive accounts.
7. The GenAI tool attempts to modify shell configuration files (e.g., .bashrc, .zshrc) to establish persistence.
8. Upon system restart or user login, the modified shell configuration executes malicious commands, granting the attacker persistent access.

Impact

Successful exploitation of this threat can lead to significant data breaches, unauthorized access to critical systems, and persistent compromise of affected environments. Attackers can leverage stolen credentials to escalate privileges, move laterally within the network, and exfiltrate sensitive data. The number of victims and sectors targeted are currently unknown, but the potential impact is widespread given the increasing adoption of GenAI tools in various industries. Credential theft leads to financial loss, intellectual property theft, and reputational damage.

Recommendation

• Deploy the Sigma rule “GenAI Process Accessing Sensitive Files” to your SIEM to detect GenAI tools accessing sensitive files on endpoints.
• Enable file access monitoring on systems where GenAI tools are used to capture access events for analysis.
• Review and restrict the use of GenAI tools within the environment, especially concerning access to sensitive file paths.
• Monitor for modifications to shell configuration files (e.g., .bashrc, .zshrc, .profile) as an indicator of persistence attempts.
• Implement regular credential rotation policies to minimize the impact of stolen credentials.

]]>highadvisorygenaicredential-accesspersistencecollectionhttps://feed.craftedsignal.io/briefs/2024-01-genai-sensitive-file-access/Wed, 22 Apr 2026 16:34:10 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-genai-sensitive-file-access/This brief outlines the threat of attackers leveraging GenAI tools to access sensitive files containing credentials, SSH keys, browser data, and shell configurations for credential access and persistence.Attackers are increasingly exploiting GenAI tools to automate the discovery and exfiltration of sensitive information from compromised systems. This involves using GenAI agents to systematically scan file systems for credentials, API keys, tokens, and other secrets. Access to credential stores (.aws/credentials, .ssh/id_*) indicates credential harvesting, while modifications to shell configuration files (.bashrc, .zshrc) point to persistence attempts. The observed activity leverages legitimate GenAI tool functionality, making it difficult to distinguish between benign use and malicious intent. This technique has become more prevalent since late 2025, with attackers refining methods to instruct GenAI agents to specifically target and exfiltrate sensitive files. Defenders must monitor for unusual file access patterns by GenAI processes.

Attack Chain

1. Attacker gains initial access to a system via phishing or exploiting a software vulnerability.
2. Attacker installs or deploys a GenAI tool (e.g., LM Studio, Claude, Copilot) on the compromised system.
3. The attacker configures the GenAI tool to scan the file system for specific file names and patterns associated with sensitive data (credentials, keys, cookies).
4. The GenAI tool accesses files such as .aws/credentials, .ssh/id_rsa, browser login databases (e.g., Login Data, logins.json, Cookies), and other credential stores.
5. The GenAI tool may modify shell configuration files (.bashrc, .zshrc) to establish persistence.
6. The GenAI tool stages the collected data for exfiltration.
7. The attacker exfiltrates the harvested credentials and data to an external server.
8. The attacker uses the stolen credentials to gain unauthorized access to other systems or cloud resources.

Impact

Successful exploitation can lead to widespread credential compromise, allowing attackers to move laterally within a network, access sensitive data, and potentially disrupt critical business operations. A single compromised developer workstation could expose cloud infrastructure credentials, impacting hundreds of systems and services. The use of GenAI tools allows for rapid and automated credential harvesting, significantly increasing the scale and speed of potential breaches. Sectors at high risk include software development, cloud computing, and any organization that relies heavily on API keys and secrets for authentication.

Recommendation

• Deploy the Sigma rule GenAI Process Accessing Sensitive Files to your SIEM to detect GenAI tools accessing sensitive files. Tune for your environment to reduce false positives.
• Monitor file access events, specifically looking for GenAI processes (ollama, lmstudio, claude) accessing files with names like credentials, id_rsa, logins.json, and .bashrc, as outlined in the Sigma rule.
• Implement stricter access controls and monitoring for sensitive directories like .aws, .ssh, and browser profile directories.
• Regularly audit and rotate credentials, API keys, and tokens, especially those stored in files.
• Educate developers and users about the risks of using GenAI tools to handle sensitive data.

]]>highadvisorycredential-accessgenaifile-accesspersistencehttps://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/Thu, 02 May 2024 14:22:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.This threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule 9050506c-df6d-4bdf-bc82-fcad0ef1e8c1 focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.

Attack Chain

1. Adversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.
2. The compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.
3. The GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).
4. The macOS system’s network stack resolves the attacker’s domain to its corresponding IP address.
5. The GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.
6. The attacker uses the C2 channel to send commands to the compromised GenAI tool.
7. The GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.

Impact

Compromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization’s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.

Recommendation

• Deploy the Sigma rule “GenAI Process Connecting to Unusual Domain” to your SIEM and tune for your environment (see rule below).
• Enable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process’s behavior.
• Block any identified malicious domains at the network level (see query in the provided source).
• Review the GenAI tool’s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.
• Regularly update the list of allowed domains in the Sigma rule’s filter to account for legitimate updates to GenAI tool infrastructure.

]]>mediumadvisorygenaicommand and controlmacosnetwork connection