AIDE-015 Collection Coverage B ATT&CK Aligned Discovery

LLM-Directed Environment Discovery

AIDE-015 | ATT&CK: T1082

Description

Adversary Behavior: An adversary uses prompt injection to direct the LLM coding agent to enumerate the local development environment and surrounding infrastructure using the agent's built-in system access capabilities.

AI/IDE Mechanism: The agent's built-in capabilities — file reading, command execution, and tool invocations — provide legitimate access to system-level information as part of normal development workflows. These capabilities are designed for productive development but can be weaponized for infrastructure discovery. The agent's system access commands blend with legitimate developer workflow operations.

Execution Path: The adversary directs the agent to discover system configuration (OS version, installed software, running processes), network topology (listening ports, active connections, DNS configuration, proxy settings), cloud context (AWS/Azure/GCP metadata endpoints, configured profiles, active sessions), and container/orchestration state (Docker images, Kubernetes contexts). The discovered information is embedded in generated code, written to project files, or exfiltrated through tool invocations.

Security Impact: The adversary obtains detailed infrastructure intelligence from within the development environment's trust boundary. This information enables targeted follow-on attacks against discovered services, cloud resources, and network infrastructure, with the reconnaissance activity blending into normal agent operations.

Platforms

Windows macOS Linux

Detection

Monitor agent-initiated command execution for system enumeration patterns (systeminfo, uname, env, ifconfig/ipconfig, netstat, cloud metadata queries). Implement allowlists for agent-executable system commands that restrict discovery operations. Flag agent sessions that execute multiple discovery commands in sequence without corresponding user task context. Baseline normal agent command patterns to detect anomalous enumeration activity.

Detecting Data Components (1)

Tool Call Request

Events capturing an agent's request to invoke a specific tool, including tool name, arguments, and triggering context.

Mitigations (2)

Agent Execution Sandboxing

Run AI coding agents in isolated security contexts with least-privilege permissions separate from the developer's ambient session. Implement task-scoped permission grants that restrict agent capabilities to files and tools relevant to the current task.

Agent Command Allowlisting

Implement command allowlists restricting agent-executable commands to development-relevant operations. Block system enumeration commands, cloud metadata access, and administrative operations unless explicitly approved per-task.

Data Sources

Process → Process Creation

Command → Command Execution

Process → OS API Execution

Network Traffic → Network Connection Creation

References

mitre-attack

Maps to System Information Discovery. Coverage Level B — technique is well-established but needs updated procedure examples for LLM agent-initiated discovery via prompt injection.

https://attack.mitre.org/techniques/T1082

Anthropic Agent Security Guidance

Describes risks of agents executing system commands for information gathering under adversarial influence

https://docs.anthropic.com/en/docs/build-with-claude/prompt-engineering/mitigate-prompt-injections

ToolLeak Red-Teaming Coding Agents

Red-teaming evaluation across 19/25 agent-LLM pairs demonstrates tool invocation hijacking for system enumeration and data exfiltration (arXiv:2509.05755, 2025)

https://arxiv.org/abs/2509.05755

STIX Metadata

type	attack-pattern
id	attack-pattern--969fabfd-b79c-498c-9f05-9d12bfb1a373
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	mapped