Back to Intelligence

Shadow IT and AI Agents: Defending the Stack Beyond Glasswing

SA
Security Arsenal Team
April 26, 2026
6 min read

The recent news regarding Glasswing serves as a stark reminder for the security community: securing the core application code is only half the battle. While Glasswing may have secured their specific codebase, the report highlights that attackers are increasingly bypassing hardened applications by targeting the "forgotten" layers of the stack—specifically shadow IT, unsanctioned SaaS integrations, and the emerging threat of shadow AI agents.

Introduction: The Vulnerability of the Stack

What happened is a classic shift in the threat landscape. Developers and employees are increasingly autonomous, provisioning SaaS tools and AI agents to solve immediate workflow problems. In the context of the Glasswing findings, the risk is clear: attackers do not need sophisticated AI exploits when they can simply abuse the unmonitored API keys and OAuth tokens generated by shadow integrations.

Defenders need to act because the perimeter has dissolved. Your stack is no longer just the code you write; it is the sum of every SaaS subscription, every browser extension, and every AI agent plugged into your corporate environment. If you are only watching your production code, you are blind to the active exploitation occurring in your integration layer.

Technical Analysis: The Integration Attack Vector

This is not a theoretical vulnerability; it is an active attack methodology. While the specific Glasswing update addressed internal code security, the surrounding news item exposes the broader technical gap: API Abuse and Shadow Token Creation.

  • Affected Platforms: SaaS platforms (Microsoft 365, Salesforce, Slack), AI Platforms (OpenAI, Anthropic), and custom internal APIs.
  • The Mechanism: Users (or compromised accounts) create API keys or OAuth tokens to integrate "shadow" tools. These keys are often stored in plaintext in repos (.env files), chats, or local scripts.
  • Attack Chain:
    1. Recon: Attacker identifies unmonitored SaaS usage or leaked API keys.
    2. Initial Access: Attacker uses a stolen credential or valid API key to access a SaaS provider (e.g., a marketing automation tool connected to the main CRM).
    3. Lateral Movement: Using the integration's permissions (often overly broad), the attacker pivots to the primary target (email, database) via the trusted API connection.
    4. Exfiltration: Data is siphoned through the "forgotten" integration, bypassing traditional egress filtering because the traffic looks like legitimate SaaS usage.
  • Exploitation Status: Active. Threat actors are actively scraping public repositories for API keys and harvesting browser session cookies for SaaS logins.

Detection & Response

Detecting shadow IT and integration abuse requires a shift from monitoring "known bads" to monitoring "unknown new" behaviors. We need to hunt for the creation of integrations and the use of CLI tools to interact with SaaS APIs from user workstations.

SIGMA Rules

YAML
---
title: Potential Shadow IT SaaS CLI Interaction
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the use of common CLI tools (curl, aws, az, gcloud) potentially interacting with SaaS or AI APIs from a user context, which may indicate shadow IT or data exfiltration.
references:
 - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/04/01
tags:
 - attack.execution
 - attack.t1059.003
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\curl.exe'
     - '\powershell.exe'
     - '\cmd.exe'
   CommandLine|contains:
     - 'api.openai.com'
     - 'api.anthropic.com'
     - 'graph.microsoft.com'
     - 'slack.com/api'
 filter:
   User|contains: 
     - 'ADMIN$'
     - 'SYSTEM'
condition: selection and not filter
falsepositives:
 - Legitimate developer testing scripts
level: medium
---
title: PowerShell Environment Variable Access for API Keys
id: 9b3c2d1e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects PowerShell scripts accessing environment variables that typically store API keys, a common behavior in scripts utilizing shadow AI services.
references:
 - https://attack.mitre.org/techniques/T1003/
author: Security Arsenal
date: 2025/04/01
tags:
 - attack.credential_access
 - attack.t1003
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith: '\powershell.exe'
   CommandLine|contains:
     - 'Get-ChildItem Env:'
     - '$env:'
   CommandLine|contains|any:
     - 'API_KEY'
     - 'OPENAI'
     - 'ANTHROPIC'
     - 'SLACK_TOKEN'
condition: selection
falsepositives:
 - Legitimate application startup scripts
level: high

KQL (Microsoft Sentinel)

This query hunts for "Sign-in" events to applications that are not part of your official estate or that match naming conventions of common Shadow AI tools.

KQL — Microsoft Sentinel / Defender
let ShadowAIKeywords = dynamic(["openai", "anthropic", "chatgpt", "claude", "midjourney", "zapier", "ifttt"]);
SigninLogs
| where ResultType == 0
| extend AppName = tolower(ApplicationDisplayName)
| where AppName has_any (ShadowAIKeywords) or AppName contains "agent"
| summarize Count = count(), TimeGenerated = arg_max(TimeGenerated, *) by AppName, UserPrincipalName, IPAddress
| project TimeGenerated, UserPrincipalName, AppName, IPAddress, Count, LocationDetails
| order by Count desc

Velociraptor VQL

This artifact hunts for plain-text API keys or configuration files often associated with unauthorized SaaS integrations in user directories.

VQL — Velociraptor
-- Hunt for plaintext API keys and Shadow IT configs in user directories
SELECT FullPath, Size, Mtime
FROM glob(globs="/*", root=users() + "/*")
WHERE FullPath =~ '(\.env$|config\.|secrets\.yaml)'
  AND Mtime > now() - 7d
-- Note: Further analysis with regex() on file content would be required in a full hunt

Remediation Script (PowerShell)

This script audits the local machine for common signs of Shadow IT installations related to AI and SaaS.

PowerShell
# Audit for Shadow AI and SaaS installations
Write-Host "Checking for Shadow IT/AI Installations..."

$UninstallPaths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*"
)

$SuspiciousKeywords = @("ChatGPT", "OpenAI", "Claude", "Anthropic", "Copilot", "Zapier")

$FoundApps = Get-ItemProperty $UninstallPaths -ErrorAction SilentlyContinue | 
    Where-Object { $_.DisplayName -match ($SuspiciousKeywords -join '|') }

if ($FoundApps) {
    Write-Host "[ALERT] Found potential Shadow IT applications:" -ForegroundColor Red
    $FoundApps | Select-Object DisplayName, DisplayVersion, InstallDate, InstallLocation | Format-Table -AutoSize
} else {
    Write-Host "No known Shadow IT applications found in registry." -ForegroundColor Green
}

# Check for .env files in common user directories containing API keywords
Write-Host "Scanning user profiles for exposed API keys in .env files..."
$Users = Get-ChildItem -Path "C:\Users" -Directory
$RiskFound = $false

foreach ($User in $Users) {
    $EnvFiles = Get-ChildItem -Path $User.FullName -Recurse -Filter ".env" -ErrorAction SilentlyContinue
    foreach ($File in $EnvFiles) {
        $Content = Get-Content $File.FullName -Raw -ErrorAction SilentlyContinue
        if ($Content -match "sk-([a-zA-Z0-9]{20,})" -or $Content -match "api_key") {
            Write-Host "[RISK] Potential API key found in: $($File.FullName)" -ForegroundColor Yellow
            $RiskFound = $true
        }
    }
}

if (-not $RiskFound) { Write-Host "No exposed API keys detected in .env files." -ForegroundColor Green }

Remediation: Securing the 'Rest of the Stack'

To address the risks highlighted by the Glasswing news and the broader threat of Shadow IT, organizations must take immediate, inventory-driven steps:

  1. SSPM Implementation: Deploy a SaaS Security Posture Management (SSPM) solution. You cannot protect what you cannot see. SSPM tools automatically discover shadow SaaS instances and misconfigurations.
  2. OAuth Token Hygiene: Conduct an audit of all OAuth grants in your identity provider (e.g., Entra ID, Okta). Revoke tokens for applications that are no longer used or that have excessive permissions (high privilege scopes).
  3. Policy Definition for AI Agents: Establish a strict acceptable use policy for AI agents. Require that all interactions with generative AI go through a centrally approved, enterprise-gated gateway (e.g., Azure OpenAI Service) rather than direct consumer accounts.
  4. Code Repository Scanning: Implement strict pre-commit hooks or repo scanning (e.g., Trivy, Gitleaks) to prevent API keys and secrets from being committed to code, a primary entry vector for these attacks.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionglasswingshadow-itsaas-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action