Commanding attention How adversaries are abusing AI CLI tool...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://redcanary.com/blog/threat-detection/ai-cli-tools/
• Blog Title: Commanding attention: How adversaries are abusing AI CLI tools
• Suggested Section: Generic Methodologies & Resources -> Phishing Methodology -> AI Agent Abuse: Local AI CLI Tools & MCP (Claude/Gemini/Warp)

🎯 Content Summary

Focus
The post documents how adversaries can repurpose local AI command‑line tools (AI CLIs) such as Claude Code, Gemini CLI, Warp, and OpenAI Codex into agentic malware to read/write local files, harvest credentials, and automate reconnaissance and destructive actions. It explains how these tools work, what telemetry they generate, concrete attacker tasking patterns, and how to detect abuse.

How AI CLIs work (mechanics)
• Most AI CLIs run locally (often on Node/Ty...

🔧 Technical Details

Prompt‑driven credential and secrets inventory via AI CLIs. If an AI CLI can read/write files and run shell commands, a single prompt can task it to recursively scan $HOME and app/crypto‑wallet directories, skip /proc, /sys, /dev, avoid sudo, cap recursion depth, match id_rsa, *.key, keystore.json, .env, and browser storage, then summarize to /tmp/inventory.txt (with backup if present) for later exfiltration.

Capability extension via MCP (STDIO/HTTP). Register an MCP tool that wraps local/remote actions. Over STDIO, the client typically spawns a helper chain like node → uv → python to perform file operations. Over HTTP, the client makes outbound TCP (e.g., port 8000) to a remote MCP server that executes tasks (e.g., file writes). This allows stealthy lateral capability growth without granting the model direct shell on...

🤖 Agent Actions

I analyzed the repo and relevant sections, confirmed there was no existing page about abusing local AI CLI tools (Claude Code, Gemini CLI, Warp) and MCP from a phishing/adversary-ops perspective, and implemented the following updates:

What I added

• New page under Phishing Methodology:
  • src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md
  • Content covers:
    • How local AI CLIs operate (built-in shell/filesystem/network tools, MCP support via STDIO/HTTP, non-deterministic tool planning)
    • Concrete attacker tasking for secrets/credential inventory (prompt pattern, targets, output handling)
    • Capability extension via MCP with observable chains (node → uv → python → file_write; MCP over HTTP and visibility gaps)
    • Local forensic artifacts and logs (Gemini CLI and Claude Code paths/fields) and cross-correlation with LLM gateway logs (LiteLLM) for model-tamper detection
    • Endpoint telemetry patterns and detection heuristics with concise pseudo rules
    • Blue-team repro notes
    • References section including the Red Canary blog and MCP/LiteLLM docs

Internal links (cross-references)

• Linked the new page from:
  • Phishing Methodology README (added a “See also” next to the existing agent-mode abuse link)
  • The agent-mode abuse page (added a “See also” to this new local CLI/MCP abuse page)
  • AI/AI-MCP-Servers.md (added “See also” pointing to operational abuse/detection content for MCP clients)

Files created/modified

• Created:
  • src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md
• Modified:
  • src/generic-methodologies-and-resources/phishing-methodology/README.md
  • src/generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md
  • src/AI/AI-MCP-Servers.md

Rationale

• This is a distinct, technical adversary technique (prompt-driven credential inventory, capability extension via MCP, and model tamper detection using CLI/gateway logs) not yet covered in HackTricks.
• The Phishing Methodology section already contains a closely related “AI Agent Mode” page, so placing this page alongside it makes discovery and navigation straightforward.
• Cross-linking from MCP-Servers adds discoverability from the AI/MCP area to the operational abuse content.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://redcanary.com/blog/threat-detection/ai-cli-tools/

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Phishing Methodology -> AI Agent Abuse: Local AI CLI Tools & MCP (Claude/Gemini/Warp)".

Repository Maintenance:

• MD Files Formatting: 901 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge