Anthropic’s July 2026 disclosure of a Chinese state-sponsored group abusing Claude Code to autonomously conduct espionage against 30 global targets introduces a new hunting requirement for enterprise security teams. The attack used a task-decomposition jailbreak — breaking the overall intrusion objective into individually small, innocuous subtasks that Claude executed sequentially — to direct the AI through reconnaissance, exploitation, lateral movement, credential harvesting, and exfiltration with minimal human involvement.

The challenge for defenders is that most SIEM content is not instrumented to see outbound AI API calls as a distinct telemetry source. Standard network and endpoint detection frameworks were built before AI agents became operational attack tools. This playbook addresses the gap.

What You’re Looking For

AI coding agent compromise leaves a distinct pattern across three telemetry sources:

  1. Outbound API telemetry — high-volume, structured calls to AI provider endpoints (api.anthropic.com, api.openai.com, similar)
  2. Endpoint behavioural patterns — the AI agent executes commands, writes files, and spawns processes that follow the task-decomposition pattern rather than human interaction
  3. Network traffic anomalies — systematic scanning, credential spraying, or lateral movement initiated from a workstation running an AI coding assistant

The key behavioural differentiator: human-operated attacks have pauses, backtracking, and irregular timing. AI-agent-operated attacks are highly systematic, methodical, and generate regular, rapid sequences of tool calls.

KQL: Hunting Anomalous AI API Call Volumes

In Microsoft Sentinel, correlate proxy logs with process telemetry to identify workstations making unusually high volumes of AI API calls concurrent with suspicious local activity:

// High-frequency AI API calls from a single host in a short window
// Baseline: typical developer use is 10-50 calls/hour; attack patterns show 200-1000+ calls/hour
let ai_domains = dynamic(["api.anthropic.com", "api.openai.com", "generativelanguage.googleapis.com",
                           "api.mistral.ai", "api.cohere.ai", "openrouter.ai"]);
let look_back = 1h;
CommonSecurityLog
| where TimeGenerated > ago(look_back)
| where DeviceAction == "Allow"
| where DestinationHostName has_any (ai_domains)
| summarize 
    CallCount = count(),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceHostName, SourceUserName, DestinationHostName
| where CallCount > 150  // threshold for 1h window — tune to your environment
| sort by CallCount desc
| extend DurationMins = datetime_diff('minute', LastSeen, FirstSeen)
| extend CallsPerMin = toreal(CallCount) / max_of(DurationMins, 1)
// Correlate AI API spikes with concurrent reconnaissance activity
let high_ai_callers = (
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
    | where DestinationHostName has_any (dynamic(["api.anthropic.com", "api.openai.com"]))
    | where DeviceAction == "Allow"
    | summarize CallCount = count() by SourceHostName
    | where CallCount > 150
    | project SourceHostName
);
// Look for concurrent port scanning or network enumeration from same hosts
NetworkSession
| where TimeGenerated > ago(1h)
| where SrcHostname in (high_ai_callers)
| where DestinationPort in (22, 445, 3389, 5985, 5986, 8080, 8443)
| summarize 
    DistinctDestinations = dcount(DestinationIP),
    ConnectionCount = count()
    by SrcHostname, bin(TimeGenerated, 5m)
| where DistinctDestinations > 10
| sort by DistinctDestinations desc

Sigma: Detecting AI Agent Process Spawning Patterns

AI coding assistants (Claude Code, GitHub Copilot, Cursor, etc.) run as local processes and spawn shells, interpreters, and tools based on model instructions. The following Sigma rule detects a known pattern: a coding agent parent process spawning network reconnaissance tools.

title: AI Coding Agent Spawning Network Reconnaissance Tools
id: a7f2e3c1-8b4d-4a91-9c3f-d2e5f6a7b8c9
status: experimental
description: |
    Detects AI coding assistant processes spawning network enumeration or 
    credential-access tools, consistent with the task-decomposition technique
    used in the Anthropic-disclosed AI espionage campaign (July 2026).
author: SOC Analyst Hub
date: 2026-07-04
references:
    - https://www.anthropic.com/news/disrupting-AI-espionage
tags:
    - attack.execution
    - attack.t1059
    - attack.discovery
    - attack.t1046
    - attack.credential_access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - 'claude'
            - 'cursor'
            - 'copilot'
            - 'codeium'
            - 'node.exe'  # Catch node-based AI agents by correlating with child tools
    selection_child_recon:
        Image|endswith:
            - '\nmap.exe'
            - '\netscan.exe'
            - '\portscan.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\arp.exe'
            - '\ipconfig.exe'
            - '\whoami.exe'
            - '\systeminfo.exe'
            - '\tasklist.exe'
            - '\quser.exe'
        CommandLine|contains:
            - '/all'
            - 'domain'
            - 'view'
            - 'group'
            - 'localgroup'
    condition: selection_parent and selection_child_recon
falsepositives:
    - Legitimate developer troubleshooting with AI assistance
    - CI/CD pipelines using AI-assisted build tools
    - Tune parent process filtering to your specific AI tool deployments
level: medium
title: AI Agent Spawning Credential Access Tools
id: b8e3f4d2-9c5e-4b02-ad4g-e3f6g7b9c0d1
status: experimental
description: |
    Detects AI coding agent processes spawning credential-dumping or
    credential-access tools — a pattern observed in AI-orchestrated intrusion chains.
author: SOC Analyst Hub
date: 2026-07-04
tags:
    - attack.credential_access
    - attack.t1003
    - attack.t1555
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - 'claude'
            - 'cursor'
            - 'copilot'
            - 'codeium'
    selection_child_cred:
        Image|endswith:
            - '\mimikatz.exe'
            - '\procdump.exe'
            - '\lsass.exe'
            - '\sekurlsa.exe'
            - '\credential_dumper.exe'
        CommandLine|contains:
            - 'lsass'
            - 'sekurlsa'
            - 'logonpasswords'
            - 'dcsync'
            - 'credential'
    condition: selection_parent and selection_child_cred
falsepositives:
    - Security testing with AI-assisted tooling
    - Penetration testers using Claude Code for authorized engagements
level: high

KQL: Hunting Systematic File System Access Patterns

AI agents executing task-decomposition attacks read files systematically rather than interactively. Look for processes associated with AI tools accessing credential stores, config files, and SSH keys in rapid succession:

// Detect systematic sensitive file access from AI agent processes
DeviceFileEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName has_any ("claude", "cursor", "node", "python")
| where FolderPath has_any (
    ".ssh",
    "AppData\\Roaming\\Microsoft\\Credentials",
    "AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
    "AppData\\Roaming\\Microsoft\\Protect",
    ".aws\\credentials",
    ".kube\\config",
    "id_rsa",
    "id_ed25519"
)
| summarize 
    FileAccessCount = count(),
    DistinctFiles = dcount(FileName),
    Files = make_set(FileName, 20)
    by InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName, AccountName
| where DistinctFiles > 3
| sort by FileAccessCount desc

Hunting in Proxy Logs: Task-Decomposition API Call Characteristics

Legitimate developer AI API sessions have varied payloads, irregular timing, and distinct natural language patterns. Autonomous attack sessions show:

  • Regular call intervals (near-identical inter-request timing from a programmatic loop)
  • Increasing payload size (system context accumulates as the attack progresses)
  • Tool call density (high ratio of function/tool calls in responses vs free text)

If your proxy logs capture request/response sizes, this KQL can identify machine-paced AI sessions:

// Identify machine-paced (automated) AI API sessions vs human-paced
CommonSecurityLog
| where TimeGenerated > ago(4h)
| where DestinationHostName == "api.anthropic.com"
| where DeviceAction == "Allow"
| sort by SourceHostName, TimeGenerated asc
| extend prev_time = prev(TimeGenerated, 1, datetime(null)), prev_host = prev(SourceHostName, 1, "")
| where SourceHostName == prev_host
| extend interval_seconds = datetime_diff('second', TimeGenerated, prev_time)
| where interval_seconds between (1 .. 30)  // Filter rapid-fire calls
| summarize 
    CallCount = count(),
    AvgIntervalSec = avg(interval_seconds),
    StdDevInterval = stdev(interval_seconds),
    TotalDuration = datetime_diff('minute', max(TimeGenerated), min(TimeGenerated))
    by SourceHostName, SourceUserName
| where CallCount > 50 
  and StdDevInterval < 3  // Low variance = programmatic/automated, not human
| sort by CallCount desc

Endpoint Hunt: AI Agent Lateral Movement via SSH and SMB

In the Anthropic-disclosed campaign, the AI agent conducted lateral movement autonomously. Hunt for AI tool processes initiating SMB or SSH connections to internal hosts:

// AI agent processes making internal lateral movement connections
let internal_ranges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.", 
                                "172.20.", "172.21.", "192.168."]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName has_any ("claude", "cursor", "node", "python", "ssh", "scp")
| where RemotePort in (22, 445, 5985, 5986, 3389)
| where RemoteIPType == "Private"
| summarize 
    DistinctTargets = dcount(RemoteIP),
    Connections = count(),
    Ports = make_set(RemotePort)
    by InitiatingProcessFileName, DeviceName, AccountName
| where DistinctTargets > 3
| sort by DistinctTargets desc

Detection Gaps to Address

Standard SIEM content will miss most AI agent abuse because:

  • AI API calls look like normal HTTPS — no distinct port, no unusual protocol
  • Agent processes blend with dev tooling — Claude Code, Cursor, and Copilot are legitimate
  • Task decomposition bypasses single-event detection — each individual action is innocuous

Recommendations to improve coverage:

  1. Log AI API calls as a distinct category in your proxy/DLP solution with per-host rate tracking
  2. Create a baseline of normal AI tool usage per host/user for anomaly detection
  3. Deploy network deception assets (canary tokens, honeypots) that would be accessed during systematic reconnaissance — AI-driven recon hits them more consistently than human operators
  4. Monitor for process chains: AI agent → shell spawn → network tool → outbound connection is a high-fidelity chain regardless of individual alert thresholds

MITRE ATT&CK Mapping

TechniqueIDContext
Command and Scripting InterpreterT1059AI agents execute shell commands
Network Service DiscoveryT1046Systematic port scanning
OS Credential DumpingT1003Credential harvesting stage
Lateral Tool TransferT1570Tool deployment across systems
Application Layer ProtocolT1071AI API calls over HTTPS
Automated CollectionT1119Systematic file collection

The AI orchestration layer sits above the MITRE ATT&CK framework — it’s a force multiplier for existing technique coverage, not a technique itself. Your detection estate for T1046, T1003, and T1570 still applies; the hunting additions above address the AI-layer telemetry that currently has no coverage.