{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/behavioral-detection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Claude Code","Cursor","Codex","GStack","Windows","PowerShell","cmdkey.exe","certutil.exe","bitsadmin.exe","Python"],"_cs_severities":["medium"],"_cs_tags":["ai","detection-engineering","false-positive","windows","behavioral-detection"],"_cs_type":"advisory","_cs_vendors":["Anthropic","OpenAI","Microsoft","Python Software Foundation"],"content_html":"\u003cp\u003eSophos X-Ops has analyzed how various AI coding agents, including Claude Code, Cursor, Codex, and those built on skill packs like GStack, are generating behavioral telemetry on Windows endpoints that strongly resembles adversarial tradecraft. These agents are designed to write code, install dependencies, automate browser tasks, and troubleshoot issues by attempting multiple approaches. While their activity is benign in context, it frequently triggers endpoint detection rules originally designed to catch malicious actions. This phenomenon creates significant detection engineering challenges, leading to high false positives and requiring security teams to re-evaluate and tune their existing behavioral protections to differentiate between legitimate AI agent operations and actual threats. This trend has been observed since June 2026, with widespread adoption of these agents across customer environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis brief details observed AI agent behaviors that mimic typical stages of an attack chain, rather than a malicious campaign.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAI Agent Execution:\u003c/strong\u003e An AI agent (e.g., Claude Code, Cursor) is launched, initiating automated tasks and spawning child processes for various coding and problem-solving activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access Attempts:\u003c/strong\u003e Agents attempt to access sensitive system components, such as browser credential stores using PowerShell to decrypt DPAPI-protected data, or Windows Credential Manager via \u003ccode\u003ecmdkey.exe /list\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIngress Tool Transfer (LOLBins):\u003c/strong\u003e When external resources are required (e.g., downloading a Python installer), agents leverage living-off-the-land binaries (LOLBins) such as \u003ccode\u003ecertutil.exe -urlcache\u003c/code\u003e or \u003ccode\u003ebitsadmin.exe /transfer\u003c/code\u003e for downloading.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdaptive Tool Pivoting:\u003c/strong\u003e If an initial command fails (e.g., \u003ccode\u003ecertutil.exe\u003c/code\u003e is blocked), the AI agent will pivot and attempt alternative tools or techniques (e.g., \u003ccode\u003ebitsadmin.exe\u003c/code\u003e), mirroring an adversary's resilience.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (Obfuscation):\u003c/strong\u003e Agents generate command-line patterns, including PowerShell scripts with specific string-formatting techniques, that can appear obfuscated and trigger rules designed to detect malicious command-line obfuscation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Mechanism Deployment:\u003c/strong\u003e For certain tasks, agents write files to persistence locations, such as a VBScript file into the Windows Startup folder, executed via PowerShell, mirroring adversary persistence techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Activity and Child Processes:\u003c/strong\u003e Agents perform network calls and spawn various child processes that can resemble Command and Control (C2) activity and other execution tactics, contributing to broad detection rule hits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of AI agent activities mimicking adversarial tradecraft is a significant increase in false positives for security detection systems. Rules that historically flagged malicious behavior are now triggered by benign automated tasks, leading to alert fatigue, increased analyst workload, and the risk of legitimate threats being overlooked amidst the noise. Organizations utilizing AI coding agents face the operational challenge of differentiating between productive AI-driven actions and genuine attack indicators, necessitating substantial effort in rule tuning and behavioral whitelisting, especially on Windows environments. This challenge impacts all sectors adopting AI development tools.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eTune existing detection rules that flag credential access (e.g., \u003ccode\u003eCreds_3b\u003c/code\u003e-like rules for PowerShell using \u003ccode\u003eSystem.Security.Cryptography.ProtectedData::Unprotect\u003c/code\u003e) to account for expected AI agent activity.\u003c/li\u003e\n\u003cli\u003eReview and refine detection rules similar to \u003ccode\u003eExec_16a\u003c/code\u003e that identify PowerShell command-line obfuscation, specifically adapting them to handle patterns commonly generated by AI agents.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for \u003ccode\u003ecertutil.exe\u003c/code\u003e and \u003ccode\u003ebitsadmin.exe\u003c/code\u003e usage, particularly when these LOLBins are initiated by processes associated with identified AI agents, to refine \u003ccode\u003eLateral_1b\u003c/code\u003e and \u003ccode\u003eExec_5a\u003c/code\u003e-like detection rules.\u003c/li\u003e\n\u003cli\u003eInvestigate \u003ccode\u003ePersist_2a\u003c/code\u003e-like rule triggers that detect writes to Windows Startup folders, analyzing the invoking process and script contents for legitimate AI agent context.\u003c/li\u003e\n\u003cli\u003eEnsure comprehensive logging for PowerShell command execution, process creation, and network connections is enabled to provide necessary telemetry for distinguishing AI agent activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T17:43:32Z","date_published":"2026-07-07T17:43:32Z","id":"https://feed.craftedsignal.io/briefs/2026-07-ai-agent-detection-challenges/","summary":"AI coding agents such as Claude Code, Cursor, Codex, and GStack are increasingly exhibiting behaviors on Windows endpoints that mimic adversarial tradecraft, including credential access, LOLBin usage for ingress, command-line obfuscation, and persistence mechanisms, thereby triggering existing security detection rules designed for malicious activity and posing significant false positive challenges for detection engineers.","title":"AI Agents Mimic Adversarial Behavior, Triggering Security Detections","url":"https://feed.craftedsignal.io/briefs/2026-07-ai-agent-detection-challenges/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Acronis Cyber Protect Connect","AeroAdmin","APC Remote Management","AnyDesk","AnyAssist","Atera RMM","AweSun Remote Desktop","Barracuda RMM","BeyondTrust Remote Support","CloudRadial","ConnectWise Automate","ConnectWise Control","Devolutions Remote Desktop Manager","Domotz RMM","DWService","FleetDeck Commander","GetScreen","GoTo","HelpWire","ImmyBot RMM","Impero","ISL Online","JumpCloud Agent","Kaseya VSA","Komari","Level.io","LogMeIn","Lunixar Remote","ManageEngine Remote Access Plus","MeshCentral","Microsoft Quick Assist","Mikogo","Nezha Agent","NinjaOne RMM","Parsec","Pulseway RMM","Radmin","RealVNC","Remotely","RemotePC","Remote Utilities","RPCSuite","Rsupport RemoteView","RustDesk","SimpleHelp","Splashtop","SuperOps RMM","Supremo Remote Desktop","TacticalRMM","Tailscale"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access-software","rmm","windows","behavioral-detection"],"_cs_type":"advisory","_cs_vendors":["Acronis","AeroAdmin","American Power Conversion","AnyDesk","AnyAssist","Atera","AweSun","Barracuda Networks","BeyondTrust","CloudRadial","ConnectWise","Devolutions","Domotz","DWService","Famatech","FleetDeck","GetScreen","GoTo","HelpWire","ImmyBot","Impero","ISL Online","JumpCloud","Kaseya","Komari","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Microsoft","Mikogo","Nezha","NinjaOne","Parsec","Pulseway","RealVNC","Remotely","RemotePC","Remote Utilities","RPCSuite","Rsupport","RustDesk","SimpleHelp","Splashtop","SuperOps","Supremo","TacticalRMM","Tailscale","Zoho"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious behavioral pattern on Windows hosts where processes associated with two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed initiating within the same eight-minute window. This activity is considered suspicious because it can indicate unauthorized activity, such as an attacker establishing redundant persistence and command and control, the presence of shadow IT, or a potential system compromise. While some legitimate Managed Service Provider (MSP) environments might use multiple tools (e.g., ConnectWise Automate and TeamViewer), this pattern on standard user endpoints or servers warrants immediate investigation. The detection mechanism specifically maps known RMM process names to unique vendor labels (e.g., AnyDesk, Splashtop, NinjaOne), preventing false positives from multiple binaries of the same vendor. This detection helps security teams identify anomalous RMM usage, which is a common tactic for initial access brokers and post-exploitation activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis detection focuses on identifying suspicious activity rather than a specific multi-stage attack chain. The presence of multiple RMM tools from distinct vendors typically occurs during the post-compromise phase, as attackers establish persistence and redundant command and control.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf not investigated and addressed, the presence of multiple, potentially unauthorized, remote management tools can lead to severe consequences. Attackers often deploy additional RMM tools to maintain persistence and establish redundant command and control channels, even after their primary access might be remediated. This increases the risk of data exfiltration, further lateral movement, deployment of ransomware, and long-term compromise of the affected host and wider network. Uncontrolled RMM installations also present a significant attack surface due to their elevated privileges and network access capabilities, making the host a critical pivot point for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the described detection logic to identify hosts exhibiting simultaneous process execution from multiple RMM vendors.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Windows process creation logging across your environment to ensure comprehensive coverage for process start events.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts related to MITRE ATT\u0026amp;CK technique T1219 (Remote Access Software) to determine legitimacy.\u003c/li\u003e\n\u003cli\u003eFor hosts triggering this detection, immediately investigate the Esql.vendors_seen and Esql.processes_executable_values fields to identify the specific tools involved.\u003c/li\u003e\n\u003cli\u003eFor servers or standard user endpoints, treat such alerts as high risk; review install sources, code signatures, and recent logons for the involved processes.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with other suspicious activities (e.g., ingress tool transfer, suspicious scripting, new persistence mechanisms) on the same host.\u003c/li\u003e\n\u003cli\u003eEstablish and enforce a clear policy for approved RMM software, ideally limiting to a single approved stack per asset class to reduce false positives and attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:47:17Z","date_published":"2026-07-03T15:47:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/","summary":"This brief describes a behavioral detection for Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tools from different vendors are observed starting processes within an eight-minute window, indicating potential compromise, shadow IT, or attacker staging of redundant access.","title":"Suspicious Activity: Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/"}],"language":"en","title":"CraftedSignal Threat Feed - Behavioral-Detection","version":"https://jsonfeed.org/version/1.1"}