kqlElastic-2.0from elastic/detection-rules
Unusual Process Modifying GenAI Configuration File
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/cross-platform/defense_evasion_genai_config_modification.toml
event.category : "file" and event.action : ("modification" or "overwrite") and
file.path : (
*/.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or
*/.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or
*/.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or
*/.ollama/config* or */AppData/Local/Ollama/* or
*/.codex/* or */AppData/Roaming/Codex/* or
*/.gemini/* or */AppData/Roaming/gemini-cli/* or
*/.grok/* or */AppData/Roaming/Grok/* or
*/.windsurf/* or */AppData/Roaming/Windsurf/* or
*/.vscode/extensions/*mcp* or
*/.openclaw/* or */AppData/Roaming/OpenClaw/* or
*/.moltbot/* or */AppData/Roaming/Moltbot/* or
*/.config/openclaw/*
) and not (
file.extension : (lck or lock or log or png or marker or shm or wal or sqlite-shm or sqlite-wal or jsonl or journal or xcuserstate) or
file.name : .DS_Store or
file.path : (
*/.claude/cache/* or
*/.claude/statsig/* or
*/.claude/sessions/* or
*/.claude/shell-snapshots/* or
*/.gemini/antigravity-browser-profile/* or
*/.gemini/tmp/* or
*/.codex/log/* or
*/.codex/sessions/*
) or
(
file.path : */.config/github-copilot/* and
file.name : (apps.json or versions.json or copilot*nitrite.db)
)
)