Skip to main content
  1. Tags/

Detection-Engineering

Seeing the AI Layer: Detecting Agents, MCP Servers, and IDE Plugins on Every Endpoint with osquery

Your EDR knows about processes and network connections. Your MDM knows about installed apps. Neither one knows that someone on your team is running an npx-fetched MCP server that has shell-exec capability and a plaintext secret baked into its config. agentic-detector is a cross-platform osquery extension that fixes that. One table — ai_tools — gives you the full AI software inventory per host: MCP servers, agent CLIs, IDE plugins, desktop apps, live network sockets, and the agent instruction files that tell AI what it’s allowed to do. Deployable through Fleet in minutes.

Notepad++ trusted-directory bypass (GHSA-p58x-r3c9-x9p6): find it with Fleet, portable copies included

GHSA-p58x-r3c9-x9p6 is a path-traversal bypass of the CVE-2026-48800 patch in Notepad++ v8.9.6.1, fixed in v8.9.6.2. It carries no CVE of its own, so vulnerability scanners that key on CVE catalogs may not flag it — and even when they do, they catch the registry-installed program while a portable notepad++.exe dropped in Downloads goes unseen. This post validates the advisory, then ships a Fleet/osquery identification query and a policy that fails when a vulnerable copy is present, installed or portable.

ClickFix — Copy/Paste Social Engineering: Threat Brief and Fleet Detection Pack

ClickFix is the most active cross-platform initial-access technique of 2026 — fake CAPTCHAs and support prompts that silently copy a malicious command to the clipboard, instruct the user to paste it into the Windows Run dialog or macOS Terminal, and deliver infostealers (Lumma, AMOS), remote-access tools (NetSupport RAT), and AppleScript keychain stealers. No code-execution vulnerability is exploited — the victim is the delivery mechanism. This brief walks the five-stage attack flow, lists atomic indicators, and ships a Fleet/osquery detection pack with every query validated against the current Fleet table schema.

SHADOW-EARTH-053 — Threat Brief, Kill Chain, and Validated Fleet Queries

Trend Micro disclosed SHADOW-EARTH-053 on 30 April 2026 — a China-aligned cyberespionage campaign exploiting ProxyLogon against unpatched Microsoft Exchange and IIS to deploy GODZILLA web shells and ShadowPad across South, East, and Southeast Asia plus one NATO target. This brief documents the campaign through Lockheed’s seven kill-chain stages with a Diamond Model rendered for each stage, consolidates the atomic indicators, and ships a vetted Fleet/osquery detection pack. Every query in the pack has been audited against fleetdm.com/tables before publication — schema bugs in the publicly circulating versions are called out and corrected inline.

Endpoint Risk and Threat Hunting, in Plain English: A Fleet MCP Manifesto

Endpoint risk and threat hunting with Fleet just got a lot easier with the MCP. fleet-mcp is a Model Context Protocol server that turns Fleet’s API into a typed tool catalog any AI agent can call. This is the manifesto — why it exists, what it does, what it deliberately won’t do, and what it gives you that a REST API never could.

Mini Shai-Hulud: Detecting a Live npm Supply Chain Worm with Fleet

An active npm supply chain worm targeting developer credentials dropped on May 11, 2026. 42 TanStack packages (84 versions) directly compromised. The broader Mini Shai-Hulud campaign affects 175 packages across 17 namespaces. This is the detection approach we ran across 30 hosts using Fleet — and the critical caveat about what Fleet’s built-in npm table misses.

Pre-CVE Threat Response: A Dirty Frag Walkthrough with Fleet

Vulnerability management isn’t CVE management. When a public exploit lands before NVD has caught up, traditional vuln scanners return empty and incident response stalls waiting for a row in a database. This is a worked example of using Fleet’s primitives — live osquery, run-script, policies — to investigate, scope, mitigate, and verify based on the artifacts of the threat instead of its catalog representation.