|
| 1 | +# AI Agent Abuse: Local AI CLI Tools & MCP (Claude/Gemini/Warp) |
| 2 | + |
| 3 | +{{#include ../../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +Local AI command-line interfaces (AI CLIs) such as Claude Code, Gemini CLI, Warp and similar tools often ship with powerful built‑ins: filesystem read/write, shell execution and outbound network access. Many act as MCP clients (Model Context Protocol), letting the model call external tools over STDIO or HTTP. Because the LLM plans tool-chains non‑deterministically, identical prompts can lead to different process, file and network behaviours across runs and hosts. |
| 8 | + |
| 9 | +Key mechanics seen in common AI CLIs: |
| 10 | +- Typically implemented in Node/TypeScript with a thin wrapper launching the model and exposing tools. |
| 11 | +- Multiple modes: interactive chat, plan/execute, and single‑prompt run. |
| 12 | +- MCP client support with STDIO and HTTP transports, enabling both local and remote capability extension. |
| 13 | + |
| 14 | +Abuse impact: A single prompt can inventory and exfiltrate credentials, modify local files, and silently extend capability by connecting to remote MCP servers (visibility gap if those servers are third‑party). |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +## Adversary Playbook – Prompt‑Driven Secrets Inventory |
| 19 | + |
| 20 | +Task the agent to quickly triage and stage credentials/secrets for exfiltration while staying quiet: |
| 21 | + |
| 22 | +- Scope: recursively enumerate under $HOME and application/wallet dirs; avoid noisy/pseudo paths (`/proc`, `/sys`, `/dev`). |
| 23 | +- Performance/stealth: cap recursion depth; avoid `sudo`/priv‑escalation; summarise results. |
| 24 | +- Targets: `~/.ssh`, `~/.aws`, cloud CLI creds, `.env`, `*.key`, `id_rsa`, `keystore.json`, browser storage (LocalStorage/IndexedDB profiles), crypto‑wallet data. |
| 25 | +- Output: write a concise list to `/tmp/inventory.txt`; if the file exists, create a timestamped backup before overwrite. |
| 26 | + |
| 27 | +Example operator prompt to an AI CLI: |
| 28 | + |
| 29 | +``` |
| 30 | +You can read/write local files and run shell commands. |
| 31 | +Recursively scan my $HOME and common app/wallet dirs to find potential secrets. |
| 32 | +Skip /proc, /sys, /dev; do not use sudo; limit recursion depth to 3. |
| 33 | +Match files/dirs like: id_rsa, *.key, keystore.json, .env, ~/.ssh, ~/.aws, |
| 34 | +Chrome/Firefox/Brave profile storage (LocalStorage/IndexedDB) and any cloud creds. |
| 35 | +Summarize full paths you find into /tmp/inventory.txt. |
| 36 | +If /tmp/inventory.txt already exists, back it up to /tmp/inventory.txt.bak-<epoch> first. |
| 37 | +Return a short summary only; no file contents. |
| 38 | +``` |
| 39 | + |
| 40 | +--- |
| 41 | + |
| 42 | +## Capability Extension via MCP (STDIO and HTTP) |
| 43 | + |
| 44 | +AI CLIs frequently act as MCP clients to reach additional tools: |
| 45 | + |
| 46 | +- STDIO transport (local tools): the client spawns a helper chain to run a tool server. Typical lineage: `node → <ai-cli> → uv → python → file_write`. Example observed: `uv run --with fastmcp fastmcp run ./server.py` which starts `python3.13` and performs local file operations on the agent’s behalf. |
| 47 | +- HTTP transport (remote tools): the client opens outbound TCP (e.g., port 8000) to a remote MCP server, which executes the requested action (e.g., write `/home/user/demo_http`). On the endpoint you’ll only see the client’s network activity; server‑side file touches occur off‑host. |
| 48 | + |
| 49 | +Notes: |
| 50 | +- MCP tools are described to the model and may be auto‑selected by planning. Behaviour varies between runs. |
| 51 | +- Remote MCP servers increase blast radius and reduce host‑side visibility. |
| 52 | + |
| 53 | +--- |
| 54 | + |
| 55 | +## Local Artifacts and Logs (Forensics) |
| 56 | + |
| 57 | +- Gemini CLI session logs: `~/.gemini/tmp/<uuid>/logs.json` |
| 58 | + - Fields commonly seen: `sessionId`, `type`, `message`, `timestamp`. |
| 59 | + - Example `message`: `"@.bashrc what is in this file?"` (user/agent intent captured). |
| 60 | +- Claude Code history: `~/.claude/history.jsonl` |
| 61 | + - JSONL entries with fields like `display`, `timestamp`, `project`. |
| 62 | + |
| 63 | +Correlate these local logs with requests observed at your LLM gateway/proxy (e.g., LiteLLM) to detect tampering/model‑hijacking: if what the model processed deviates from the local prompt/output, investigate injected instructions or compromised tool descriptors. |
| 64 | + |
| 65 | +--- |
| 66 | + |
| 67 | +## Endpoint Telemetry Patterns |
| 68 | + |
| 69 | +Representative chains on Amazon Linux 2023 with Node v22.19.0 and Python 3.13: |
| 70 | + |
| 71 | +1) Built‑in tools (local file access) |
| 72 | +- Parent: `node .../bin/claude --model <model>` (or equivalent for the CLI) |
| 73 | +- Immediate child action: create/modify a local file (e.g., `demo-claude`). Tie the file event back via parent→child lineage. |
| 74 | + |
| 75 | +2) MCP over STDIO (local tool server) |
| 76 | +- Chain: `node → uv → python → file_write` |
| 77 | +- Example spawn: `uv run --with fastmcp fastmcp run /home/ssm-user/tools/server.py` |
| 78 | + |
| 79 | +3) MCP over HTTP (remote tool server) |
| 80 | +- Client: `node/<ai-cli>` opens outbound TCP to `remote_port: 8000` (or similar) |
| 81 | +- Server: remote Python process handles the request and writes `/home/ssm-user/demo_http`. |
| 82 | + |
| 83 | +Because agent decisions differ by run, expect variability in exact processes and touched paths. |
| 84 | + |
| 85 | +--- |
| 86 | + |
| 87 | +## Detection Strategy |
| 88 | + |
| 89 | +Telemetry sources |
| 90 | +- Linux EDR using eBPF/auditd for process, file and network events. |
| 91 | +- Local AI‑CLI logs for prompt/intent visibility. |
| 92 | +- LLM gateway logs (e.g., LiteLLM) for cross‑validation and model‑tamper detection. |
| 93 | + |
| 94 | +Hunting heuristics |
| 95 | +- Link sensitive file touches back to an AI‑CLI parent chain (e.g., `node → <ai-cli> → uv/python`). |
| 96 | +- Alert on access/reads/writes under: `~/.ssh`, `~/.aws`, browser profile storage, cloud CLI creds, `/etc/passwd`. |
| 97 | +- Flag unexpected outbound connections from the AI‑CLI process to unapproved MCP endpoints (HTTP/SSE, ports like 8000). |
| 98 | +- Correlate local `~/.gemini`/`~/.claude` artifacts with LLM gateway prompts/outputs; divergence indicates possible hijacking. |
| 99 | + |
| 100 | +Example pseudo‑rules (adapt to your EDR): |
| 101 | + |
| 102 | +```yaml |
| 103 | +- when: file_write AND path IN ["$HOME/.ssh/*","$HOME/.aws/*","/etc/passwd"] |
| 104 | + and ancestor_chain CONTAINS ["node", "claude|gemini|warp", "python|uv"] |
| 105 | + then: alert("AI-CLI secrets touch via tool chain") |
| 106 | + |
| 107 | +- when: outbound_tcp FROM process_name =~ "node|python" AND parent =~ "claude|gemini|warp" |
| 108 | + and dest_port IN [8000, 3333, 8787] |
| 109 | + then: tag("possible MCP over HTTP") |
| 110 | +``` |
| 111 | +
|
| 112 | +Hardening ideas |
| 113 | +- Require explicit user approval for file/system tools; log and surface tool plans. |
| 114 | +- Constrain network egress for AI‑CLI processes to approved MCP servers. |
| 115 | +- Ship/ingest local AI‑CLI logs and LLM gateway logs for consistent, tamper‑resistant auditing. |
| 116 | +
|
| 117 | +--- |
| 118 | +
|
| 119 | +## Blue‑Team Repro Notes |
| 120 | +
|
| 121 | +Use a clean VM with an EDR or eBPF tracer to reproduce chains like: |
| 122 | +- `node → claude --model claude-sonnet-4-20250514` then immediate local file write. |
| 123 | +- `node → uv run --with fastmcp ... → python3.13` writing under `$HOME`. |
| 124 | +- `node/<ai-cli>` establishing TCP to an external MCP server (port 8000) while a remote Python process writes a file. |
| 125 | + |
| 126 | +Validate that your detections tie the file/network events back to the initiating AI‑CLI parent to avoid false positives. |
| 127 | + |
| 128 | +--- |
| 129 | + |
| 130 | +## References |
| 131 | + |
| 132 | +- [Commanding attention: How adversaries are abusing AI CLI tools (Red Canary)](https://redcanary.com/blog/threat-detection/ai-cli-tools/) |
| 133 | +- [Model Context Protocol (MCP)](https://modelcontextprotocol.io) |
| 134 | +- [LiteLLM – LLM Gateway/Proxy](https://docs.litellm.ai) |
| 135 | + |
| 136 | +{{#include ../../banners/hacktricks-training.md}} |
0 commit comments