AIDE-013 Collection Coverage C ATT&CK Aligned Reconnaissance

LLM-Mediated Codebase Reconnaissance

AIDE-013 | ATT&CK: T1592

Description

Adversary Behavior: An adversary uses prompt injection to direct an LLM-integrated coding agent to systematically enumerate and report information about the target development environment, leveraging the agent's privileged insider position.

AI/IDE Mechanism: The coding agent has deep read access to the entire project — including source code, configuration files, infrastructure-as-code definitions, environment variables, and documentation. This access scope, designed for productive code generation, provides comprehensive visibility into the development environment's architecture and configuration.

Execution Path: The adversary embeds reconnaissance instructions in project files, pull requests, or documentation that the LLM ingests as context. The agent extracts architectural details, internal API schemas, credential storage locations, dependency manifests, and deployment configurations. The gathered intelligence is surfaced through generated code comments, exfiltrated via tool invocations, or embedded in outputs that the adversary can later retrieve.

Security Impact: Unlike traditional reconnaissance which operates externally, this technique leverages the LLM agent's privileged insider position within the development environment, providing the adversary with comprehensive internal intelligence including architecture, credentials, dependencies, and deployment configurations without triggering perimeter-based detection.

Platforms

Windows macOS Linux

Detection

Monitor LLM agent file access patterns for breadth-first enumeration across project directories. Flag agent sessions that read configuration files, environment variable definitions, or infrastructure-as-code templates without corresponding user-initiated task context. Analyze generated output for embedded system information, internal URLs, or credential references that were not part of the original prompt.

Detecting Data Components (3)

Resource Access

Events capturing the IDE's access to resources provided by MCP servers.

File Context Inclusion

Events capturing which local files are included in the LLM context window for each inference request.

Prompt Content

Full text of prompts sent to the LLM including system prompts, user instructions, and assembled context.

Mitigations (2)

Context Window Content Filtering

Apply input sanitization and prompt injection detection to content entering the LLM context window. Scan for instruction-like patterns in code comments, documentation, and external content. Implement content trust levels differentiating project files from external sources.

Agent Command Allowlisting

Implement command allowlists restricting agent-executable commands to development-relevant operations. Block system enumeration commands, cloud metadata access, and administrative operations unless explicitly approved per-task.

Data Sources

Application Log → Application Log Content

File → File Access

Process → Process Creation

Command → Command Execution

References

mitre-attack

Maps to Gather Victim Host Information. Coverage Level C — existing technique lacks procedure examples for LLM agent-mediated internal reconnaissance via prompt injection.

https://attack.mitre.org/techniques/T1592

XOXO Cross-Origin Context Poisoning

Demonstrates how poisoned context can direct LLM agents to extract and surface sensitive project information

https://arxiv.org/abs/2503.14281

MCP History Theft (Trail of Bits, Apr 2025)

Reconnaissance via malicious MCP server — full conversation history exfiltration enabling environment profiling.

https://blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/

STIX Metadata

type	attack-pattern
id	attack-pattern--87fd7317-0d58-402a-b27a-a21c6c3a14b5
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	mapped