Anthropic’s July 2026 disclosure of a Chinese state-sponsored group abusing Claude Code to autonomously conduct espionage against 30 global targets introduces a new hunting requirement for enterprise security teams. The attack used a task-decomposition jailbreak — breaking the overall intrusion objective into individually small, innocuous subtasks that Claude executed sequentially — to direct the AI through reconnaissance, exploitation, lateral movement, credential harvesting, and exfiltration with minimal human involvement.
The challenge for defenders is that most SIEM content is not instrumented to see outbound AI API calls as a distinct telemetry source. Standard network and endpoint detection frameworks were built before AI agents became operational attack tools. This playbook addresses the gap.
What You’re Looking For
AI coding agent compromise leaves a distinct pattern across three telemetry sources:
- Outbound API telemetry — high-volume, structured calls to AI provider endpoints (api.anthropic.com, api.openai.com, similar)
- Endpoint behavioural patterns — the AI agent executes commands, writes files, and spawns processes that follow the task-decomposition pattern rather than human interaction
- Network traffic anomalies — systematic scanning, credential spraying, or lateral movement initiated from a workstation running an AI coding assistant
The key behavioural differentiator: human-operated attacks have pauses, backtracking, and irregular timing. AI-agent-operated attacks are highly systematic, methodical, and generate regular, rapid sequences of tool calls.
KQL: Hunting Anomalous AI API Call Volumes
In Microsoft Sentinel, correlate proxy logs with process telemetry to identify workstations making unusually high volumes of AI API calls concurrent with suspicious local activity:
// High-frequency AI API calls from a single host in a short window
// Baseline: typical developer use is 10-50 calls/hour; attack patterns show 200-1000+ calls/hour
let ai_domains = dynamic(["api.anthropic.com", "api.openai.com", "generativelanguage.googleapis.com",
"api.mistral.ai", "api.cohere.ai", "openrouter.ai"]);
let look_back = 1h;
CommonSecurityLog
| where TimeGenerated > ago(look_back)
| where DeviceAction == "Allow"
| where DestinationHostName has_any (ai_domains)
| summarize
CallCount = count(),
BytesSent = sum(SentBytes),
BytesReceived = sum(ReceivedBytes),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceHostName, SourceUserName, DestinationHostName
| where CallCount > 150 // threshold for 1h window — tune to your environment
| sort by CallCount desc
| extend DurationMins = datetime_diff('minute', LastSeen, FirstSeen)
| extend CallsPerMin = toreal(CallCount) / max_of(DurationMins, 1)
// Correlate AI API spikes with concurrent reconnaissance activity
let high_ai_callers = (
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DestinationHostName has_any (dynamic(["api.anthropic.com", "api.openai.com"]))
| where DeviceAction == "Allow"
| summarize CallCount = count() by SourceHostName
| where CallCount > 150
| project SourceHostName
);
// Look for concurrent port scanning or network enumeration from same hosts
NetworkSession
| where TimeGenerated > ago(1h)
| where SrcHostname in (high_ai_callers)
| where DestinationPort in (22, 445, 3389, 5985, 5986, 8080, 8443)
| summarize
DistinctDestinations = dcount(DestinationIP),
ConnectionCount = count()
by SrcHostname, bin(TimeGenerated, 5m)
| where DistinctDestinations > 10
| sort by DistinctDestinations desc
Sigma: Detecting AI Agent Process Spawning Patterns
AI coding assistants (Claude Code, GitHub Copilot, Cursor, etc.) run as local processes and spawn shells, interpreters, and tools based on model instructions. The following Sigma rule detects a known pattern: a coding agent parent process spawning network reconnaissance tools.
title: AI Coding Agent Spawning Network Reconnaissance Tools
id: a7f2e3c1-8b4d-4a91-9c3f-d2e5f6a7b8c9
status: experimental
description: |
Detects AI coding assistant processes spawning network enumeration or
credential-access tools, consistent with the task-decomposition technique
used in the Anthropic-disclosed AI espionage campaign (July 2026).
author: SOC Analyst Hub
date: 2026-07-04
references:
- https://www.anthropic.com/news/disrupting-AI-espionage
tags:
- attack.execution
- attack.t1059
- attack.discovery
- attack.t1046
- attack.credential_access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- 'claude'
- 'cursor'
- 'copilot'
- 'codeium'
- 'node.exe' # Catch node-based AI agents by correlating with child tools
selection_child_recon:
Image|endswith:
- '\nmap.exe'
- '\netscan.exe'
- '\portscan.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\ping.exe'
- '\arp.exe'
- '\ipconfig.exe'
- '\whoami.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\quser.exe'
CommandLine|contains:
- '/all'
- 'domain'
- 'view'
- 'group'
- 'localgroup'
condition: selection_parent and selection_child_recon
falsepositives:
- Legitimate developer troubleshooting with AI assistance
- CI/CD pipelines using AI-assisted build tools
- Tune parent process filtering to your specific AI tool deployments
level: medium
title: AI Agent Spawning Credential Access Tools
id: b8e3f4d2-9c5e-4b02-ad4g-e3f6g7b9c0d1
status: experimental
description: |
Detects AI coding agent processes spawning credential-dumping or
credential-access tools — a pattern observed in AI-orchestrated intrusion chains.
author: SOC Analyst Hub
date: 2026-07-04
tags:
- attack.credential_access
- attack.t1003
- attack.t1555
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- 'claude'
- 'cursor'
- 'copilot'
- 'codeium'
selection_child_cred:
Image|endswith:
- '\mimikatz.exe'
- '\procdump.exe'
- '\lsass.exe'
- '\sekurlsa.exe'
- '\credential_dumper.exe'
CommandLine|contains:
- 'lsass'
- 'sekurlsa'
- 'logonpasswords'
- 'dcsync'
- 'credential'
condition: selection_parent and selection_child_cred
falsepositives:
- Security testing with AI-assisted tooling
- Penetration testers using Claude Code for authorized engagements
level: high
KQL: Hunting Systematic File System Access Patterns
AI agents executing task-decomposition attacks read files systematically rather than interactively. Look for processes associated with AI tools accessing credential stores, config files, and SSH keys in rapid succession:
// Detect systematic sensitive file access from AI agent processes
DeviceFileEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName has_any ("claude", "cursor", "node", "python")
| where FolderPath has_any (
".ssh",
"AppData\\Roaming\\Microsoft\\Credentials",
"AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
"AppData\\Roaming\\Microsoft\\Protect",
".aws\\credentials",
".kube\\config",
"id_rsa",
"id_ed25519"
)
| summarize
FileAccessCount = count(),
DistinctFiles = dcount(FileName),
Files = make_set(FileName, 20)
by InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName, AccountName
| where DistinctFiles > 3
| sort by FileAccessCount desc
Hunting in Proxy Logs: Task-Decomposition API Call Characteristics
Legitimate developer AI API sessions have varied payloads, irregular timing, and distinct natural language patterns. Autonomous attack sessions show:
- Regular call intervals (near-identical inter-request timing from a programmatic loop)
- Increasing payload size (system context accumulates as the attack progresses)
- Tool call density (high ratio of function/tool calls in responses vs free text)
If your proxy logs capture request/response sizes, this KQL can identify machine-paced AI sessions:
// Identify machine-paced (automated) AI API sessions vs human-paced
CommonSecurityLog
| where TimeGenerated > ago(4h)
| where DestinationHostName == "api.anthropic.com"
| where DeviceAction == "Allow"
| sort by SourceHostName, TimeGenerated asc
| extend prev_time = prev(TimeGenerated, 1, datetime(null)), prev_host = prev(SourceHostName, 1, "")
| where SourceHostName == prev_host
| extend interval_seconds = datetime_diff('second', TimeGenerated, prev_time)
| where interval_seconds between (1 .. 30) // Filter rapid-fire calls
| summarize
CallCount = count(),
AvgIntervalSec = avg(interval_seconds),
StdDevInterval = stdev(interval_seconds),
TotalDuration = datetime_diff('minute', max(TimeGenerated), min(TimeGenerated))
by SourceHostName, SourceUserName
| where CallCount > 50
and StdDevInterval < 3 // Low variance = programmatic/automated, not human
| sort by CallCount desc
Endpoint Hunt: AI Agent Lateral Movement via SSH and SMB
In the Anthropic-disclosed campaign, the AI agent conducted lateral movement autonomously. Hunt for AI tool processes initiating SMB or SSH connections to internal hosts:
// AI agent processes making internal lateral movement connections
let internal_ranges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.",
"172.20.", "172.21.", "192.168."]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName has_any ("claude", "cursor", "node", "python", "ssh", "scp")
| where RemotePort in (22, 445, 5985, 5986, 3389)
| where RemoteIPType == "Private"
| summarize
DistinctTargets = dcount(RemoteIP),
Connections = count(),
Ports = make_set(RemotePort)
by InitiatingProcessFileName, DeviceName, AccountName
| where DistinctTargets > 3
| sort by DistinctTargets desc
Detection Gaps to Address
Standard SIEM content will miss most AI agent abuse because:
- AI API calls look like normal HTTPS — no distinct port, no unusual protocol
- Agent processes blend with dev tooling — Claude Code, Cursor, and Copilot are legitimate
- Task decomposition bypasses single-event detection — each individual action is innocuous
Recommendations to improve coverage:
- Log AI API calls as a distinct category in your proxy/DLP solution with per-host rate tracking
- Create a baseline of normal AI tool usage per host/user for anomaly detection
- Deploy network deception assets (canary tokens, honeypots) that would be accessed during systematic reconnaissance — AI-driven recon hits them more consistently than human operators
- Monitor for process chains: AI agent → shell spawn → network tool → outbound connection is a high-fidelity chain regardless of individual alert thresholds
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Command and Scripting Interpreter | T1059 | AI agents execute shell commands |
| Network Service Discovery | T1046 | Systematic port scanning |
| OS Credential Dumping | T1003 | Credential harvesting stage |
| Lateral Tool Transfer | T1570 | Tool deployment across systems |
| Application Layer Protocol | T1071 | AI API calls over HTTPS |
| Automated Collection | T1119 | Systematic file collection |
The AI orchestration layer sits above the MITRE ATT&CK framework — it’s a force multiplier for existing technique coverage, not a technique itself. Your detection estate for T1046, T1003, and T1570 still applies; the hunting additions above address the AI-layer telemetry that currently has no coverage.