LoFP / an administrator or network operator might execute this command legitimately. please apply the necessary filters to tune that activity.

Techniques

• T1480

Sample rules

Linux Auditd AI CLI Permission Override Activated

• source: splunk
• technicques:
  • T1480

Description

This detection identifies when an AI command-line tool is launched in an unsafe mode that bypasses normal safety checks and user approvals. For instance, running claude –dangerously-skip-permissions skips all safety restrictions, allowing the tool to operate freely, while gemini –yolo automatically approves all actions without prompting the user. These modes, often called permission overrides or YOLO mode, let the AI execute commands, modify files, or perform tasks without confirmation. Detecting their use is important to prevent unintended or potentially harmful operations.

Detection logic

`linux_auditd` (proctitle = "*gemini*" AND proctitle IN ("*--yolo*", "*-y *")) OR
(proctitle = "*claude*" AND proctitle= "*--dangerously-skip-permissions*")

| rename host as dest

| stats count min(_time) as firstTime max(_time) as lastTime
  BY proctitle dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)` 
| `linux_auditd_ai_cli_permission_override_activated_filter`