AIDE-008 Agent Execution Coverage B ATT&CK Aligned Execution

Autonomous Agent Command Execution Abuse

AIDE-008 | ATT&CK: T1059

Description

Adversary Behavior: An adversary exploits the autonomous command execution capability of LLM coding agents to run arbitrary shell commands on the developer's workstation.

AI/IDE Mechanism: Modern coding agents are granted the ability to execute shell commands — build tools, test runners, package managers, scripts — as part of their standard development workflow. The agent's shell tool executes commands with the developer's full user-level permissions, including access to credentials, network resources, and the local filesystem.

Execution Path: Through indirect prompt injection — via files the agent reads, tool return values it processes, or web content it fetches — the adversary injects instructions that cause the agent to invoke its shell tool with adversary-controlled command strings. The commands execute under the developer's security context without additional authorization checks beyond the agent's built-in approval mechanism.

Security Impact: The adversary achieves arbitrary command execution on the developer's workstation with the developer's full user-level permissions, enabling data exfiltration, malware deployment, credential theft, persistence establishment, and further lateral movement from the compromised host.

Platforms

Windows macOS Linux

Detection

Monitor all shell commands executed by agent processes and compare against an expected command set for the declared task. Flag commands involving network tools, credential access utilities, persistence mechanisms, or encoded payloads.

Detecting Data Components (2)

Tool Call Response

Events capturing the response returned by a tool invocation, including output content and status.

Tool Call Request

Events capturing an agent's request to invoke a specific tool, including tool name, arguments, and triggering context.

Mitigations (2)

Agent Command Allowlisting

Implement command allowlists restricting agent-executable commands to development-relevant operations. Block system enumeration commands, cloud metadata access, and administrative operations unless explicitly approved per-task.

Agent Execution Sandboxing

Run AI coding agents in isolated security contexts with least-privilege permissions separate from the developer's ambient session. Implement task-scoped permission grants that restrict agent capabilities to files and tools relevant to the current task.

Data Sources

Process → Process Creation

Command → Command Execution

File → File Creation

Network Traffic → Network Connection Creation

References

mitre-attack

Maps to Command and Scripting Interpreter. Coverage Level B — needs procedure update for agent-mediated execution.

https://attack.mitre.org/techniques/T1059

CurXecute CVE-2025-54135

Chained indirect prompt injection to write malicious MCP configuration and trigger code execution (CVSS 8.5)

GitHub Copilot RCE — CVE-2025-53773 (Rehberger, Aug 2025)

Remote code execution achieved through prompt injection against GitHub Copilot via code, issue, or webpage content. 4-stage kill chain.

https://embracethered.com/blog/

Devin AI RCE (Rehberger, Aug 2025)

Prompt injection against Devin AI achieved remote code execution and established Sliver C2 connection.

https://embracethered.com/blog/

Agentic ProbLLMs (Rehberger, Dec 2025, 39C3)

Exploiting AI computer-use and coding agents — demonstrated RCE through visited webpage against Claude Computer Use.

https://embracethered.com/blog/

IDEsaster CVEs

CVE-2025-64671 — GitHub Copilot JetBrains arbitrary command execution via malicious repositories (Marzouk, 2025-2026)

https://byteiota.com/idesaster-30-cves-hit-cursor-github-copilot-all-ai-ides/

Chinese State-Sponsored Claude Code Manipulation

Late 2025: 80-90% autonomous operation exploiting agent command execution across ~30 targets (SnailSploit Threat Landscape)

https://snailsploit.com/ai-security/agentic-ai-threat-landscape/

Claude Code Hidden Backdoor (Lasso Security)

Claude Code's shell command execution exploited via indirect prompt injection in project files and external content (Lasso Security, 2025)

https://www.lasso.security/blog/the-hidden-backdoor-in-claude-coding-assistant

STIX Metadata

type	attack-pattern
id	attack-pattern--43ff8637-9250-4c40-8028-26aef60bd64c
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	mapped