From 62d83b1603709777761f6a1a75698abf63c3917d Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Thu, 12 Mar 2026 17:02:50 +0100 Subject: [PATCH 1/2] quietvault --- ...d_ai_cli_permission_override_activated.yml | 55 +++++++++++++++++++ ..._unix_shell_configuration_modification.yml | 5 +- .../linux_auditd_whoami_user_discovery.yml | 5 +- stories/quietvault.yml | 18 ++++++ 4 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml create mode 100644 stories/quietvault.yml diff --git a/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml b/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml new file mode 100644 index 0000000000..3199bde2b4 --- /dev/null +++ b/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml @@ -0,0 +1,55 @@ +name: Linux Auditd AI CLI Permission Override Activated +id: 737e8baa-d44e-4fa9-8281-24056ed424c0 +version: 1 +date: '2026-03-12' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This detection identifies when an AI command-line tool is launched in an unsafe mode that bypasses normal safety checks and user approvals. For instance, running claude --dangerously-skip-permissions skips all safety restrictions, allowing the tool to operate freely, while gemini --yolo automatically approves all actions without prompting the user. These modes, often called permission overrides or YOLO mode, let the AI execute commands, modify files, or perform tasks without confirmation. Detecting their use is important to prevent unintended or potentially harmful operations. +data_source: + - Linux Auditd Proctitle +search: |- + `linux_auditd` (proctitle = "*gemini*" AND proctitle IN ("*--yolo*", "*-y *")) OR + (proctitle = "*claude*" AND proctitle= "*--dangerously-skip-permissions*") + | rename host as dest + | stats count min(_time) as firstTime max(_time) as lastTime + BY proctitle dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `linux_auditd_ai_cli_permission_override_activated_filter` +how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed +known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +references: + - https://x.com/Mandiant/status/2031097693620081042?s=20 +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A [$proctitle$] event occurred on host - [$dest$] to bypassed ai safety execution with permission override. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: [] +tags: + analytic_story: + - QuietVault + asset_type: Endpoint + mitre_attack_id: + - T1480 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1480/ai_cli_override/gemini_yolo.log + source: auditd + sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index a7beb89b06..3e08a60fa8 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: TTP @@ -85,6 +85,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Compromised Linux Host + - QuietVault asset_type: Endpoint mitre_attack_id: - T1546.004 diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 9229a090dc..963a6525f0 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,6 +45,7 @@ tags: - Linux Privilege Escalation - Linux Persistence Techniques - Compromised Linux Host + - QuietVault asset_type: Endpoint mitre_attack_id: - T1033 diff --git a/stories/quietvault.yml b/stories/quietvault.yml new file mode 100644 index 0000000000..4c84c068a4 --- /dev/null +++ b/stories/quietvault.yml @@ -0,0 +1,18 @@ +name: QuietVault +id: abe8a796-76dd-47df-b525-e2024213560b +version: 1 +date: '2026-03-12' +author: Teoderick Contreras, Splunk +status: production +description: QUIETVAULT is a JavaScript‑based credential‑stealing malware identified by Google’s Threat Intelligence Group that targets GitHub and npm tokens by exfiltrating them to a publicly accessible GitHub repository. In addition to stealing these credentials, QUIETVAULT leverages on‑host installed AI CLI tools and crafted AI prompts to search the infected system for other sensitive secrets, which it then also exfiltrates. This reflects a broader trend of threat actors integrating AI‑driven tooling into malware to enhance automated discovery and data theft in real‑world operations, signaling a shift toward more adaptable and intelligent malicious software. +narrative: In recent threat intelligence reporting, security researchers uncovered a new AI‑assisted malware strain called QUIETVAULT that quietly infiltrates systems to steal valuable credentials. Once inside, it not only captures GitHub and npm tokens but also uses local AI command‑line tools with crafted prompts to hunt for other secrets stored on the machine and upload them to a public repository. This demonstrates how attackers are adapting artificial intelligence into their tools to automate deeper data harvesting and expand their reach, increasing the risk and complexity of modern cybercrime. +references: + - https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools?linkId=60744249 +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From 80dd174db1ffc3f6951c5300141cf1226d027880 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Fri, 13 Mar 2026 18:09:03 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali --- ...nux_auditd_ai_cli_permission_override_activated.yml | 10 +++++++--- ...ux_auditd_unix_shell_configuration_modification.yml | 2 +- .../endpoint/linux_auditd_whoami_user_discovery.yml | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml b/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml index 3199bde2b4..56612d3075 100644 --- a/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml +++ b/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml @@ -5,7 +5,11 @@ date: '2026-03-12' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This detection identifies when an AI command-line tool is launched in an unsafe mode that bypasses normal safety checks and user approvals. For instance, running claude --dangerously-skip-permissions skips all safety restrictions, allowing the tool to operate freely, while gemini --yolo automatically approves all actions without prompting the user. These modes, often called permission overrides or YOLO mode, let the AI execute commands, modify files, or perform tasks without confirmation. Detecting their use is important to prevent unintended or potentially harmful operations. +description: | + This detection identifies when an AI command-line tool is launched in an unsafe mode that bypasses normal safety checks and user approvals. + For instance, running claude --dangerously-skip-permissions skips all safety restrictions, allowing the tool to operate freely, while gemini --yolo automatically approves all actions without prompting the user. + These modes, often called permission overrides or YOLO mode, let the AI execute commands, modify files, or perform tasks without confirmation. + Detecting their use is important to prevent unintended or potentially harmful operations. data_source: - Linux Auditd Proctitle search: |- @@ -17,7 +21,7 @@ search: |- | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_auditd_ai_cli_permission_override_activated_filter` how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consist SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed -known_false_positives: Administrator or network operator can execute this command. Please update the filter macros to remove false positives. +known_false_positives: An administrator or network operator might execute this command legitimately. Please apply the necessary filters to tune that activity. references: - https://x.com/Mandiant/status/2031097693620081042?s=20 drilldown_searches: @@ -30,7 +34,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A [$proctitle$] event occurred on host - [$dest$] to bypassed ai safety execution with permission override. + message: A [$proctitle$] event occurred on host - [$dest$] to bypass AI safety execution with permission override. risk_objects: - field: dest type: system diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index 3e08a60fa8..41b4408c51 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,6 +1,6 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 10 +version: 9 date: '2026-03-12' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 963a6525f0..e3ce06cf4d 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,6 +1,6 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 8 +version: 7 date: '2026-03-12' author: Teoderick Contreras, Splunk status: production