Skip to content

Hide Navigation Hide TOC

Stealth Execution and Persistence Mechanisms - ATR-2026-00204 (eb006dea-2aac-55c4-ba06-52a727e4aa20)

Detects patterns indicating stealth execution (background processes with output suppression, nohup), persistence installation (systemctl enable, global npm packages), and covert file transfer (scp). These patterns are common in post-exploitation phases where an attacker establishes long-term presence on a compromised system via an AI agent. Derived from real-world Claude Code skill analysis.

Cluster A Galaxy A Cluster B Galaxy B Level
Stealth Execution and Persistence Mechanisms - ATR-2026-00204 (eb006dea-2aac-55c4-ba06-52a727e4aa20) Agent Threat Rules Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
Stealth Execution and Persistence Mechanisms - ATR-2026-00204 (eb006dea-2aac-55c4-ba06-52a727e4aa20) Agent Threat Rules Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Stealth Execution and Persistence Mechanisms - ATR-2026-00204 (eb006dea-2aac-55c4-ba06-52a727e4aa20) Agent Threat Rules Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
Stealth Execution and Persistence Mechanisms - ATR-2026-00204 (eb006dea-2aac-55c4-ba06-52a727e4aa20) Agent Threat Rules Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1