Full Report
Security teams have spent years building identity and access controls for human users and service accounts. But a new category of actor has quietly entered most enterprise environments, and it operates entirely outside those controls. Claude Code, Anthropic's AI coding agent, is now running across engineering organizations at scale. It reads files, executes shell commands, calls external APIs,
Analysis Summary
# Tool/Technique: Claude Code (AI Agent-Based Execution)
## Overview
Claude Code is a command-line interface (CLI) tool and AI orchestrator developed by Anthropic. While designed as a productivity tool for developers, from a security and malware analysis perspective, it represents a "Living off the Land" (LotL) execution framework. It possesses the ability to autonomously interact with the host operating system, modify source code, and perform network operations, effectively acting as an autonomous agent that bypasses traditional identity and access management (IAM) frameworks designed for human or service account static roles.
## Technical Details
- **Type:** AI Coding Agent / Autonomous Execution Tool
- **Platform:** Cross-platform (macOS, Linux, Windows via Node.js environment)
- **Capabilities:** File System Access, Script Execution, Network Communication, Git Integration, Command Orchestration.
- **First Seen:** Early 2025 (Public Preview)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1203 - Exploitation for Client Execution
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery
- T1082 - System Information Discovery
- **TA0009 - Collection**
- T1005 - Data from Local System
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Fetching external APIs/Scripts)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (AI-generated code variability)
## Functionality
### Core Capabilities
- **Autonomous Shell Execution:** The tool can generate and execute shell commands directly on the host machine to perform system tasks.
- **File System Manipulation:** Comprehensive ability to read, write, and delete files within the authorized directory scopes.
- **Contextual Code Analysis:** Scans entire repositories to understand architecture and logic.
### Advanced Features
- **Looping/Self-Correction:** The agent can observe command output, identify errors, and re-attempt execution until a goal is met.
- **External API Interaction:** Capability to call external web services or APIs to fetch documentation or data.
- **Version Control Integration:** Direct manipulation of Git workflows, including commits and branch management.
## Indicators of Compromise
- **File Names:** `claude` (CLI binary), `.claude` (configuration/log directories).
- **Network Indicators:**
- Communications to `api[.]anthropic[.]com`
- DNS queries for common developer documentation sites.
- **Behavioral Indicators:**
- `node` or `npm` processes spawning multiple recursive shell children (sh, bash, zsh, powershell).
- Rapid sequence of "Read -> Modify -> Execute" cycles on source code and configuration files.
- High frequency of file system discovery commands (`ls -R`, `find`, `grep`) originating from a single CLI process.
## Associated Threat Actors
- **Legitimate Users:** Engineering and DevOps teams.
- **Potential Threat Actors:** Insider threats using the agent for data exfiltration or external actors leveraging a compromised developer workstation to use the agent as a local execution engine.
## Detection Methods
- **Behavioral detection:** Monitor for high-velocity script execution originating from Node.js processes. Track "Agentic" behavior where a process reads its own error output and immediately executes a modified corrective command.
- **Endpoint Detection and Response (EDR):** Flag unexpected child processes (e.g., `curl`, `wget`, `rm`) spawned by the `claude` CLI binary.
- **Audit Logs:** Monitor `.bash_history` or equivalent for CLI interactions that follow AI-generated command patterns.
## Mitigation Strategies
- **Sandboxing:** Run Claude Code within isolated environments or containers (e.g., Docker) to restrict access to the host OS.
- **RBAC & Scoping:** Limit the tool's access to specific directories rather than the entire root or user home directory.
- **Egress Filtering:** Restrict the CLI tool’s ability to communicate with non-essential external domains.
- **Human-in-the-loop (HITL):** Enforce manual approval for high-risk commands (file deletion, system configuration changes).
## Related Tools/Techniques
- **GitHub Copilot CLI:** Similar AI-enabled terminal assistant.
- **Aider:** Open-source AI pair programming tool with shell capabilities.
- **OpenDevin / Devin:** Fully autonomous AI software engineering agents.
- **Living off the Land (LotL):** The broader technique of using legitimate administrative tools for malicious purposes.