From 463f225a94282a30b031938de837f516aebd49c0 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 15 Oct 2025 18:33:52 +0000 Subject: [PATCH] Add content from: Commanding attention: How adversaries are abusing AI CLI too... --- src/AI/AI-MCP-Servers.md | 6 + src/SUMMARY.md | 1 + .../phishing-methodology/README.md | 6 + ...-agent-abuse-local-ai-cli-tools-and-mcp.md | 136 ++++++++++++++++++ ...-phishing-abusing-hosted-agent-browsers.md | 6 + 5 files changed, 155 insertions(+) create mode 100644 src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md diff --git a/src/AI/AI-MCP-Servers.md b/src/AI/AI-MCP-Servers.md index 2b19386e7f6..baec4ba21f8 100644 --- a/src/AI/AI-MCP-Servers.md +++ b/src/AI/AI-MCP-Servers.md @@ -153,6 +153,12 @@ The payload can be anything the current OS user can run, e.g. a reverse-shell ba * For legacy versions you can detect suspicious diffs with Git hooks or a security agent watching `.cursor/` paths. * Consider signing MCP configurations or storing them outside the repository so they cannot be altered by untrusted contributors. +See also – operational abuse and detection of local AI CLI/MCP clients: + +{{#ref}} +../generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md +{{#endref}} + ## References - [CVE-2025-54136 – MCPoison Cursor IDE persistent RCE](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 66ac10a1a34..d3bc9bd7550 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -29,6 +29,7 @@ - [Enable Nexmon Monitor And Injection On Android](generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md) - [Evil Twin EAP-TLS](generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md) - [Phishing Methodology](generic-methodologies-and-resources/phishing-methodology/README.md) + - [Ai Agent Abuse Local Ai Cli Tools And Mcp](generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md) - [Ai Agent Mode Phishing Abusing Hosted Agent Browsers](generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md) - [Clipboard Hijacking](generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md) - [Clone a Website](generic-methodologies-and-resources/phishing-methodology/clone-a-website.md) diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md index 8ac7ef51e7f..5aef3874ba4 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md @@ -548,6 +548,12 @@ See also – agentic browsing abuse for credential phishing: ai-agent-mode-phishing-abusing-hosted-agent-browsers.md {{#endref}} +See also – AI agent abuse of local CLI tools and MCP (for secrets inventory and detection): + +{{#ref}} +ai-agent-abuse-local-ai-cli-tools-and-mcp.md +{{#endref}} + --- ## MFA Fatigue / Push Bombing Variant – Forced Reset diff --git a/src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md b/src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md new file mode 100644 index 00000000000..5efecd80356 --- /dev/null +++ b/src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md @@ -0,0 +1,136 @@ +# AI Agent Abuse: Local AI CLI Tools & MCP (Claude/Gemini/Warp) + +{{#include ../../banners/hacktricks-training.md}} + +## Overview + +Local AI command-line interfaces (AI CLIs) such as Claude Code, Gemini CLI, Warp and similar tools often ship with powerful built‑ins: filesystem read/write, shell execution and outbound network access. Many act as MCP clients (Model Context Protocol), letting the model call external tools over STDIO or HTTP. Because the LLM plans tool-chains non‑deterministically, identical prompts can lead to different process, file and network behaviours across runs and hosts. + +Key mechanics seen in common AI CLIs: +- Typically implemented in Node/TypeScript with a thin wrapper launching the model and exposing tools. +- Multiple modes: interactive chat, plan/execute, and single‑prompt run. +- MCP client support with STDIO and HTTP transports, enabling both local and remote capability extension. + +Abuse impact: A single prompt can inventory and exfiltrate credentials, modify local files, and silently extend capability by connecting to remote MCP servers (visibility gap if those servers are third‑party). + +--- + +## Adversary Playbook – Prompt‑Driven Secrets Inventory + +Task the agent to quickly triage and stage credentials/secrets for exfiltration while staying quiet: + +- Scope: recursively enumerate under $HOME and application/wallet dirs; avoid noisy/pseudo paths (`/proc`, `/sys`, `/dev`). +- Performance/stealth: cap recursion depth; avoid `sudo`/priv‑escalation; summarise results. +- Targets: `~/.ssh`, `~/.aws`, cloud CLI creds, `.env`, `*.key`, `id_rsa`, `keystore.json`, browser storage (LocalStorage/IndexedDB profiles), crypto‑wallet data. +- Output: write a concise list to `/tmp/inventory.txt`; if the file exists, create a timestamped backup before overwrite. + +Example operator prompt to an AI CLI: + +``` +You can read/write local files and run shell commands. +Recursively scan my $HOME and common app/wallet dirs to find potential secrets. +Skip /proc, /sys, /dev; do not use sudo; limit recursion depth to 3. +Match files/dirs like: id_rsa, *.key, keystore.json, .env, ~/.ssh, ~/.aws, +Chrome/Firefox/Brave profile storage (LocalStorage/IndexedDB) and any cloud creds. +Summarize full paths you find into /tmp/inventory.txt. +If /tmp/inventory.txt already exists, back it up to /tmp/inventory.txt.bak- first. +Return a short summary only; no file contents. +``` + +--- + +## Capability Extension via MCP (STDIO and HTTP) + +AI CLIs frequently act as MCP clients to reach additional tools: + +- STDIO transport (local tools): the client spawns a helper chain to run a tool server. Typical lineage: `node → → uv → python → file_write`. Example observed: `uv run --with fastmcp fastmcp run ./server.py` which starts `python3.13` and performs local file operations on the agent’s behalf. +- HTTP transport (remote tools): the client opens outbound TCP (e.g., port 8000) to a remote MCP server, which executes the requested action (e.g., write `/home/user/demo_http`). On the endpoint you’ll only see the client’s network activity; server‑side file touches occur off‑host. + +Notes: +- MCP tools are described to the model and may be auto‑selected by planning. Behaviour varies between runs. +- Remote MCP servers increase blast radius and reduce host‑side visibility. + +--- + +## Local Artifacts and Logs (Forensics) + +- Gemini CLI session logs: `~/.gemini/tmp//logs.json` + - Fields commonly seen: `sessionId`, `type`, `message`, `timestamp`. + - Example `message`: `"@.bashrc what is in this file?"` (user/agent intent captured). +- Claude Code history: `~/.claude/history.jsonl` + - JSONL entries with fields like `display`, `timestamp`, `project`. + +Correlate these local logs with requests observed at your LLM gateway/proxy (e.g., LiteLLM) to detect tampering/model‑hijacking: if what the model processed deviates from the local prompt/output, investigate injected instructions or compromised tool descriptors. + +--- + +## Endpoint Telemetry Patterns + +Representative chains on Amazon Linux 2023 with Node v22.19.0 and Python 3.13: + +1) Built‑in tools (local file access) +- Parent: `node .../bin/claude --model ` (or equivalent for the CLI) +- Immediate child action: create/modify a local file (e.g., `demo-claude`). Tie the file event back via parent→child lineage. + +2) MCP over STDIO (local tool server) +- Chain: `node → uv → python → file_write` +- Example spawn: `uv run --with fastmcp fastmcp run /home/ssm-user/tools/server.py` + +3) MCP over HTTP (remote tool server) +- Client: `node/` opens outbound TCP to `remote_port: 8000` (or similar) +- Server: remote Python process handles the request and writes `/home/ssm-user/demo_http`. + +Because agent decisions differ by run, expect variability in exact processes and touched paths. + +--- + +## Detection Strategy + +Telemetry sources +- Linux EDR using eBPF/auditd for process, file and network events. +- Local AI‑CLI logs for prompt/intent visibility. +- LLM gateway logs (e.g., LiteLLM) for cross‑validation and model‑tamper detection. + +Hunting heuristics +- Link sensitive file touches back to an AI‑CLI parent chain (e.g., `node → → uv/python`). +- Alert on access/reads/writes under: `~/.ssh`, `~/.aws`, browser profile storage, cloud CLI creds, `/etc/passwd`. +- Flag unexpected outbound connections from the AI‑CLI process to unapproved MCP endpoints (HTTP/SSE, ports like 8000). +- Correlate local `~/.gemini`/`~/.claude` artifacts with LLM gateway prompts/outputs; divergence indicates possible hijacking. + +Example pseudo‑rules (adapt to your EDR): + +```yaml +- when: file_write AND path IN ["$HOME/.ssh/*","$HOME/.aws/*","/etc/passwd"] + and ancestor_chain CONTAINS ["node", "claude|gemini|warp", "python|uv"] + then: alert("AI-CLI secrets touch via tool chain") + +- when: outbound_tcp FROM process_name =~ "node|python" AND parent =~ "claude|gemini|warp" + and dest_port IN [8000, 3333, 8787] + then: tag("possible MCP over HTTP") +``` + +Hardening ideas +- Require explicit user approval for file/system tools; log and surface tool plans. +- Constrain network egress for AI‑CLI processes to approved MCP servers. +- Ship/ingest local AI‑CLI logs and LLM gateway logs for consistent, tamper‑resistant auditing. + +--- + +## Blue‑Team Repro Notes + +Use a clean VM with an EDR or eBPF tracer to reproduce chains like: +- `node → claude --model claude-sonnet-4-20250514` then immediate local file write. +- `node → uv run --with fastmcp ... → python3.13` writing under `$HOME`. +- `node/` establishing TCP to an external MCP server (port 8000) while a remote Python process writes a file. + +Validate that your detections tie the file/network events back to the initiating AI‑CLI parent to avoid false positives. + +--- + +## References + +- [Commanding attention: How adversaries are abusing AI CLI tools (Red Canary)](https://redcanary.com/blog/threat-detection/ai-cli-tools/) +- [Model Context Protocol (MCP)](https://modelcontextprotocol.io) +- [LiteLLM – LLM Gateway/Proxy](https://docs.litellm.ai) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md b/src/generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md index 0bbc53c8e0f..7e7d34d00e8 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/ai-agent-mode-phishing-abusing-hosted-agent-browsers.md @@ -42,6 +42,12 @@ Notes: - General MFA phishing via reverse proxies (Evilginx, etc.) is still effective but requires inline MitM. Agent-mode abuse shifts the flow to a trusted assistant UI and a remote browser that many controls ignore. - Clipboard/pastejacking (ClickFix) and mobile phishing also deliver credential theft without obvious attachments or executables. +See also – local AI CLI/MCP abuse and detection: + +{{#ref}} +ai-agent-abuse-local-ai-cli-tools-and-mcp.md +{{#endref}} + ## References - [Double agents: How adversaries can abuse “agent mode” in commercial AI products (Red Canary)](https://redcanary.com/blog/threat-detection/ai-agent-mode/)