heroui logo

GenAI CLI Started with Unsafe Permission Bypass

Elastic Detection Rules

View Source
Summary
Detects GenAI CLI processes started with permission-bypass or auto-approval modes that disable human-in-the-loop guardrails. The rule identifies commands and flags such as --dangerously-skip-permissions, --allow-dangerously-skip-permissions, --permission-mode=bypassPermissions, and similar sandbox/approval bypass options across GenAI tools (Claude, Codex, Gemini, Copilot, OpenAI Codex, etc). It correlates process name, executable paths, and command line arguments to detect potentially unsafe usage on networked endpoints, which can enable prompt injection, compromised dependencies, or autonomous agent behavior to modify files, exfiltrate data, or reach sensitive paths without explicit confirmation. The rule maps to MITRE ATT&CK T1562.001 (Disable or Modify Tools) under Defense Evasion, indicating defender-evading intent by weakening controls. It supports Linux, macOS, and Windows hosts and uses endpoint process events (logs-endpoint.events.process-*). Investigation steps include identifying the GenAI tool and bypass flags, determining if the session is legitimate (CI/CD or isolated sandbox) or a developer workstation, reviewing child processes for credential access or network activity, and checking GenAI configs and MCP servers. Remediation includes removing bypass flags, rotating credentials, auditing tool configs, and enforcing policies to disallow permission bypass on production endpoints.
Categories
  • Endpoint
  • Windows
  • Linux
  • macOS
Data Sources
  • Process
ATT&CK Techniques
  • T1562
  • T1562.001
Created: 2026-06-24