Detection rules › Elastic
GenAI or MCP Server Child Process Execution
Detects child process execution from GenAI tools or MCP (Model Context Protocol) servers. Adversaries exploit AI agents to execute system commands, exfiltrate data, or establish persistence. MCP servers provide LLMs direct access to execute shell commands, read files, and interact with external services. This building block provides visibility into AI-initiated process execution for correlation with other suspicious activity.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059 Command and Scripting Interpreter |
MITRE ATLAS coverage
Adversarial-ML threat framework (not MITRE ATT&CK).
| Tactic | Techniques |
|---|---|
| Execution | AML.T0053 AI Agent Tool Invocation |
| Privilege Escalation | AML.T0053 AI Agent Tool Invocation |
Rule body elastic
[metadata]
creation_date = "2025/12/04"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2026/04/21"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Detects child process execution from GenAI tools or MCP (Model Context Protocol) servers. Adversaries exploit AI agents
to execute system commands, exfiltrate data, or establish persistence. MCP servers provide LLMs direct access to execute
shell commands, read files, and interact with external services. This building block provides visibility into
AI-initiated process execution for correlation with other suspicious activity.
"""
from = "now-119m"
index = [
"logs-endpoint.events.process-*",
"logs-windows.sysmon_operational-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "GenAI or MCP Server Child Process Execution"
risk_score = 21
rule_id = "b2c3d4e5-f6a7-8901-bcde-f23456789012"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender XDR",
"Data Source: SentinelOne",
"Rule Type: BBR",
"Domain: LLM",
"Mitre Atlas: T0053",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start"
and (
// GenAI clients
process.parent.name in (
"Cursor", "Cursor.exe", "cursor",
"Cursor Helper", "Cursor Helper (Plugin)", "Cursor Helper (GPU)", "Cursor Helper (Renderer)",
"Claude", "Claude.exe", "claude",
"Claude Helper", "Claude Helper (Plugin)", "Claude Helper (GPU)", "Claude Helper (Renderer)",
"Windsurf", "Windsurf.exe", "windsurf",
"Windsurf Helper", "Windsurf Helper (Plugin)", "Windsurf Helper (GPU)", "Windsurf Helper (Renderer)",
"Code", "Code.exe", "code",
"Code Helper", "Code Helper (Plugin)", "Code Helper (GPU)", "Code Helper (Renderer)",
"codex", "codex.exe",
"Copilot", "Copilot.exe", "copilot",
"Jan", "Jan.exe", "jan",
"Jan Helper", "Jan Helper (Plugin)", "Jan Helper (GPU)", "Jan Helper (Renderer)",
"LM Studio", "LM Studio.exe", "lmstudio",
"Ollama", "Ollama.exe", "ollama",
"GPT4All", "gpt4all", "gpt4all.exe",
"textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
"gemini-cli.exe", "gemini-cli",
"genaiscript.exe", "genaiscript",
"grok.exe", "grok",
"qwen.exe", "qwen",
"koboldcpp.exe", "koboldcpp", "KoboldCpp",
"llama-server", "llama-cli",
"OpenClaw", "openclaw", "openclaw.exe",
"Moltbot", "moltbot", "moltbot.exe",
"Clawdbot", "clawdbot", "clawdbot.exe"
) or
// OpenClaw/Moltbot/Clawdbot via Node.js
(process.parent.name in ("node", "node.exe") and
process.parent.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*")) or
// Package managers running MCP servers
(process.parent.name in ("npx", "npx.exe", "pnpm", "pnpm.exe", "yarn", "yarn.exe", "bunx", "bunx.exe") and
process.parent.command_line like~ ("*@modelcontextprotocol/*", "*mcp-server-*", "*mcp_server*")) or
// Node/Deno/Bun running MCP servers
(process.parent.name in ("node", "node.exe", "deno", "deno.exe", "bun", "bun.exe") and
process.parent.command_line like~ ("*@modelcontextprotocol/*", "*mcp-server-*", "*mcp_server*")) or
// Python MCP servers
(process.parent.name like~ "python*" and
process.parent.command_line like~ ("*-m mcp_server*", "*mcp-server-*", "*mcp_server*")) or
// MCP server binaries
process.parent.name like~ ("mcp-server*", "*-mcp-server", "*_mcp_server*") or
process.parent.name in ("mcp-server", "mcp-server-elastic-cloud", "github-mcp-server")
)
and process.name != null
// Exclusions
and not (
// Runtime self-spawns
(process.parent.name in ("node", "node.exe") and process.name in ("node", "node.exe")) or
(process.parent.name like~ "python*" and process.name like~ "python*") or
(process.parent.name in ("deno", "deno.exe") and process.name in ("deno", "deno.exe")) or
(process.parent.name in ("bun", "bun.exe") and process.name in ("bun", "bun.exe")) or
// Helper process self-spawns
(process.parent.name == "Cursor" and process.name like~ "Cursor Helper*") or
(process.parent.name == "Claude" and process.name like~ "Claude Helper*") or
(process.parent.name == "Windsurf" and process.name like~ "Windsurf Helper*") or
(process.parent.name == "Code" and process.name like~ "Code Helper*") or
(process.parent.name == "Jan" and process.name like~ "Jan Helper*") or
(process.parent.name == "LM Studio" and process.name like~ "LM Studio Helper*") or
(process.parent.name == "Ollama" and process.name like~ "Ollama Helper*") or
// docker
(process.name in ("docker", "docker.exe") and process.args == "context" and process.args == "ls") or
// neighbor / arp / ps / which (args tokens or full /bin/sh -c)
(
process.args in (
"ip neigh show",
"arp -a -n -l",
"ip neighbor show dev wlan0",
"ip neighbor show dev eth0",
"arp -a | findstr /C:---"
) or
process.command_line in (
"/bin/sh -c ip neigh show",
"/bin/sh -c arp -a -n -l",
"/bin/sh -c /bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=",
"/bin/sh -c which ps"
)
) or
// git
(process.name in ("git", "git.exe") and (
(process.args == "remote" and process.args == "get-url" and process.args == "origin") or
(process.args == "symbolic-ref" and process.args == "refs/remotes/origin/HEAD" and process.args == "--short") or
(process.args == "rev-parse" and process.args == "--abbrev-ref" and process.args == "HEAD") or
(process.args == "status" and process.args == "-z" and process.args == "-uall") or
(process.args == "config" and process.args == "--get" and process.args == "commit.template") or
(process.args == "config" and process.args == "user.email") or
(process.args == "rev-parse" and process.args == "--show-toplevel")
)) or
// version / help
process.args in ("--version", "--help", "-v", "-h", "-V", "version", "help")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Stages and Predicates
Stage 1: process
process where event.type == "start"
and (
process.parent.name in (
"Cursor", "Cursor.exe", "cursor",
"Cursor Helper", "Cursor Helper (Plugin)", "Cursor Helper (GPU)", "Cursor Helper (Renderer)",
"Claude", "Claude.exe", "claude",
"Claude Helper", "Claude Helper (Plugin)", "Claude Helper (GPU)", "Claude Helper (Renderer)",
"Windsurf", "Windsurf.exe", "windsurf",
"Windsurf Helper", "Windsurf Helper (Plugin)", "Windsurf Helper (GPU)", "Windsurf Helper (Renderer)",
"Code", "Code.exe", "code",
"Code Helper", "Code Helper (Plugin)", "Code Helper (GPU)", "Code Helper (Renderer)",
"codex", "codex.exe",
"Copilot", "Copilot.exe", "copilot",
"Jan", "Jan.exe", "jan",
"Jan Helper", "Jan Helper (Plugin)", "Jan Helper (GPU)", "Jan Helper (Renderer)",
"LM Studio", "LM Studio.exe", "lmstudio",
"Ollama", "Ollama.exe", "ollama",
"GPT4All", "gpt4all", "gpt4all.exe",
"textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
"gemini-cli.exe", "gemini-cli",
"genaiscript.exe", "genaiscript",
"grok.exe", "grok",
"qwen.exe", "qwen",
"koboldcpp.exe", "koboldcpp", "KoboldCpp",
"llama-server", "llama-cli",
"OpenClaw", "openclaw", "openclaw.exe",
"Moltbot", "moltbot", "moltbot.exe",
"Clawdbot", "clawdbot", "clawdbot.exe"
) or
(process.parent.name in ("node", "node.exe") and
process.parent.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*")) or
(process.parent.name in ("npx", "npx.exe", "pnpm", "pnpm.exe", "yarn", "yarn.exe", "bunx", "bunx.exe") and
process.parent.command_line like~ ("*@modelcontextprotocol/*", "*mcp-server-*", "*mcp_server*")) or
(process.parent.name in ("node", "node.exe", "deno", "deno.exe", "bun", "bun.exe") and
process.parent.command_line like~ ("*@modelcontextprotocol/*", "*mcp-server-*", "*mcp_server*")) or
(process.parent.name like~ "python*" and
process.parent.command_line like~ ("*-m mcp_server*", "*mcp-server-*", "*mcp_server*")) or
process.parent.name like~ ("mcp-server*", "*-mcp-server", "*_mcp_server*") or
process.parent.name in ("mcp-server", "mcp-server-elastic-cloud", "github-mcp-server")
)
and process.name != null
and not (
(process.parent.name in ("node", "node.exe") and process.name in ("node", "node.exe")) or
(process.parent.name like~ "python*" and process.name like~ "python*") or
(process.parent.name in ("deno", "deno.exe") and process.name in ("deno", "deno.exe")) or
(process.parent.name in ("bun", "bun.exe") and process.name in ("bun", "bun.exe")) or
(process.parent.name == "Cursor" and process.name like~ "Cursor Helper*") or
(process.parent.name == "Claude" and process.name like~ "Claude Helper*") or
(process.parent.name == "Windsurf" and process.name like~ "Windsurf Helper*") or
(process.parent.name == "Code" and process.name like~ "Code Helper*") or
(process.parent.name == "Jan" and process.name like~ "Jan Helper*") or
(process.parent.name == "LM Studio" and process.name like~ "LM Studio Helper*") or
(process.parent.name == "Ollama" and process.name like~ "Ollama Helper*") or
(process.name in ("docker", "docker.exe") and process.args == "context" and process.args == "ls") or
(
process.args in (
"ip neigh show",
"arp -a -n -l",
"ip neighbor show dev wlan0",
"ip neighbor show dev eth0",
"arp -a | findstr /C:---"
) or
process.command_line in (
"/bin/sh -c ip neigh show",
"/bin/sh -c arp -a -n -l",
"/bin/sh -c /bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=",
"/bin/sh -c which ps"
)
) or
(process.name in ("git", "git.exe") and (
(process.args == "remote" and process.args == "get-url" and process.args == "origin") or
(process.args == "symbolic-ref" and process.args == "refs/remotes/origin/HEAD" and process.args == "--short") or
(process.args == "rev-parse" and process.args == "--abbrev-ref" and process.args == "HEAD") or
(process.args == "status" and process.args == "-z" and process.args == "-uall") or
(process.args == "config" and process.args == "--get" and process.args == "commit.template") or
(process.args == "config" and process.args == "user.email") or
(process.args == "rev-parse" and process.args == "--show-toplevel")
)) or
process.args in ("--version", "--help", "-v", "-h", "-V", "version", "help")
)
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
process.args | eq | --abbrev-ref |
process.args | eq | HEAD |
process.args | eq | rev-parse |
process.args | eq | --get |
process.args | eq | commit.template |
process.args | eq | config |
process.args | eq | --short |
process.args | eq | refs/remotes/origin/HEAD |
process.args | eq | symbolic-ref |
process.args | eq | --show-toplevel |
process.args | eq | rev-parse |
process.args | eq | -uall |
process.args | eq | -z |
process.args | eq | status |
process.args | eq | config |
process.args | eq | user.email |
process.args | eq | get-url |
process.args | eq | origin |
process.args | eq | remote |
process.name | in | git, git.exe |
process.args | eq | context |
process.args | eq | ls |
process.name | in | docker, docker.exe |
process.name | in | bun, bun.exe |
process.parent.name | in | bun, bun.exe |
process.name | in | deno, deno.exe |
process.parent.name | in | deno, deno.exe |
process.name | in | node, node.exe |
process.parent.name | in | node, node.exe |
process.name | starts_with | Claude Helper |
process.parent.name | eq | Claude |
process.name | starts_with | Code Helper |
process.parent.name | eq | Code |
process.name | starts_with | Cursor Helper |
process.parent.name | eq | Cursor |
process.name | starts_with | Jan Helper |
process.parent.name | eq | Jan |
process.name | starts_with | LM Studio Helper |
process.parent.name | eq | LM Studio |
process.name | starts_with | Ollama Helper |
process.parent.name | eq | Ollama |
process.name | starts_with | Windsurf Helper |
process.parent.name | eq | Windsurf |
process.name | starts_with | python |
process.parent.name | starts_with | python |
process.args | in | --help, --version, -h, -v, help, version |
process.args | in | arp -a -n -l, arp -a | findstr /C:---, ip neigh show, ip neighbor show dev eth0, ip neighbor show dev wlan0 |
process.command_line | in | /bin/sh -c /bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=, /bin/sh -c arp -a -n -l, /bin/sh -c ip neigh show, /bin/sh -c which ps |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.type | eq |
|
process.name | is_not_null | |
process.parent.command_line | wildcard |
|
process.parent.name | in |
|
process.parent.name | wildcard |
|