AIDE-016 Agent Execution Coverage C ATT&CK Aligned Lateral Movement

Agent-Facilitated Lateral Movement

AIDE-016 | ATT&CK: T1021

Description

Adversary Behavior: An adversary leverages the LLM coding agent's access to developer credentials, SSH keys, API tokens, cloud session tokens, and multi-repository tooling to move laterally to other systems and environments.

AI/IDE Mechanism: The agent's legitimate need to interact with version control systems, CI/CD pipelines, cloud platforms, and remote development environments provides natural access to cross-system authentication mechanisms. Multi-repository IDE features and MCP tool servers that bridge multiple services further expand the accessible attack surface.

Execution Path: Through prompt injection, the agent is directed to clone additional repositories, establish SSH connections to remote servers, authenticate to cloud services using cached credentials, deploy code to staging or production environments, or interact with internal APIs and services accessible from the developer's workstation.

Security Impact: The adversary achieves cross-system movement using the developer's existing authenticated sessions and cached credentials. Lateral movement operations are conducted through the agent's legitimate tooling interfaces, providing natural cover and making detection difficult through conventional network monitoring.

Platforms

Windows macOS Linux

Detection

Monitor agent-initiated SSH, RDP, and cloud API connections to systems beyond the current project scope. Flag agent attempts to access credential stores, SSH key directories, or cloud configuration files. Implement network segmentation that restricts agent-initiated outbound connections to pre-approved destinations. Track agent interactions with version control systems for operations targeting repositories outside the active project workspace.

Detecting Data Components (1)

Tool Call Request

Events capturing an agent's request to invoke a specific tool, including tool name, arguments, and triggering context.

Mitigations (3)

AI Network Traffic Segmentation

Implement egress filtering restricting LLM API and MCP tool server traffic to approved endpoints. Baseline normal LLM API traffic patterns and alert on deviations. Restrict agent-initiated outbound connections to pre-approved destinations.

Agent Execution Sandboxing

Run AI coding agents in isolated security contexts with least-privilege permissions separate from the developer's ambient session. Implement task-scoped permission grants that restrict agent capabilities to files and tools relevant to the current task.

Credential Isolation from AI Agents

Prevent AI agent processes from accessing the developer's credential stores, SSH key directories, cloud configuration files, and authentication tokens. Use credential proxies that provide task-scoped, time-limited access.

Data Sources

Network Traffic → Network Connection Creation

Logon Session → Logon Session Creation

Command → Command Execution

Process → Process Creation

References

mitre-attack

Maps to Remote Services. Coverage Level C — existing technique covers remote service usage but lacks procedure examples for AI agent-mediated lateral movement using developer cached credentials.

https://attack.mitre.org/techniques/T1021

CurXecute CVE-2025-54135

Demonstrates chained agent exploitation enabling access beyond the initial development environment

AgentHopper (Rehberger, Dec 2025, 39C3)

Self-propagating AI virus through git repositories — off-device lateral movement via AI coding assistant git operations.

https://embracethered.com/blog/

IdentityMesh (Lasso Security, Aug 2025)

Cross-application lateral movement in agentic systems — Perplexity Comet exploited via GitHub issue to exfiltrate Gmail data.

https://www.lasso.security/blog/identitymesh

Morris II Worm (Cohen et al., Mar 2024)

First AI worm demonstrating cross-user self-replication via email in GenAI ecosystems.

https://arxiv.org/abs/2403.02817

STIX Metadata

type	attack-pattern
id	attack-pattern--ae5232f8-f7d7-42dc-9003-87567f2d1fa4
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	mapped