Back to Feed
Threat IntelligenceJul 8, 2026

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

AI coding agents are triggering endpoint security rules designed to catch attackers.

Summary

Sophos observed AI coding agents like Claude Code, Cursor, and OpenAI Codex triggering endpoint security rules due to their behavior, which mimics attacker actions such as decrypting browser credentials and downloading files. While these agents are not malicious, their legitimate operations, like using DPAPI to access stored browser data or employing 'living off the land' utilities, are indistinguishable from malicious activity to behavioral detection engines. This phenomenon presents a challenge for defenders, as the same actions can now originate from benign AI assistants, attacker-controlled AI agents, or hijacked AI sessions.

Full text

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers Swati KhandelwalJul 08, 2026AI Security / Threat Detection Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders. The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack. Decrypting browser credentials, listing what sits in Windows' credential store, pulling files down with built-in system tools, writing to the startup folder: these have long been high-signal to defenders. What has changed is who is generating it. On the machines Sophos watched, it was often a developer's AI assistant going about ordinary work. What set the alarms off The analysis draws on seven days of telemetry from June 2026, taken from Sophos's behavioral engine on Windows and counted by unique machines, not raw event volume. It is a narrow window on one vendor's fleet, not an industry census. Sophos's charts put credential access at 56.2 percent of the blocked activity and execution at 28.8 percent: agents reaching for stored secrets, or running code the way attackers do. The biggest credential-access rule, at 42.6 percent of that group, fires when a process uses Windows' built-in Data Protection API, or DPAPI, to decrypt the browser's stored credential data. Sophos calls GStack a widely adopted skill pack for coding agents. Its /browse skill does exactly that, running PowerShell that calls DPAPI to unlock saved browser data. Sophos caught it running under Claude Code. In context, it is almost certainly browser automation on the user's behalf. To the detection engine, it is credential theft, and the rule is right to fire. Some Python examples looked worse on paper. In one instance, Claude Code shut down the running browser and ran a script that pulled data from its credential store. Separately, it ran cmdkey /list to enumerate the credentials Windows Credential Manager was holding. Sophos notes that Claude Code here ran with its --dangerously-skip-permissions flag set, a mode Anthropic's own documentation warns against and tells administrators how to block. When one approach fails, an agent tries another. OpenAI Codex did just that, fetching a Python installer from the real python.org, starting with certutil. That was blocked, so it switched to bitsadmin. Both are legitimate Windows utilities that attackers routinely abuse to pull payloads, living off the land. The target was harmless, but Sophos's point is that this pivot-when-blocked behavior is what separates a live attacker from a static script, and benign agents now do it too. Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script that would run every time the machine booted. Sophos could not confirm what the script did, but writing to startup outside a trusted installer is the kind of thing defenders flag on sight. AI agents on both sides of the line The flip side is already visible. A month earlier, Sophos documented an attacker who used AI agents to build and test malware against EDR products, one of them running Claude Opus 4.5 to coordinate the work. That was development-time: agents helping an attacker write better tooling. Agents get turned on their own users at runtime, too. In a separate case, researchers showed a coding agent could be tricked into running attacker code through poisoned inputs, a chain that can slip past EDR because the agent is acting inside the user's trusted session. These are separate events with different rules firing, but they share a surface: browser credential calls, LOLBin downloads, and startup writes now come from benign agents, attacker-run agents, and hijacked agents. That is why the raw action tells you less than it once did. And it sits inside a bigger change in how intrusions look. CrowdStrike's 2026 Global Threat Report found 82 percent of 2025 detections were malware-free, with attackers moving through valid credentials and trusted tools instead of dropping files. That shift is what pushed detection toward behavior in the first place. AI agents now generate the same behavior for ordinary reasons, crowding the exact signal defenders came to rely on. What it means for defenders If developers run these agents under their own accounts, expect endpoint rules to fire on their machines. Sophos's answer is to split the rules by what they catch. Execution noise from an agent retrying a download or emitting oddly formatted PowerShell can usually be scoped. Key the rule to the agent's parent process (claude.exe, cursor.exe, and their child processes), its workspace or temp path, or the reputation of the download target. That stops a known agent doing ordinary work from generating alerts. Credential-touching behavior is where you hold the line. Decrypting browser credentials or enumerating Credential Manager does not become safe because an agent did it instead of a person, and an agent should not inherit blanket access to credential stores just because it runs under a trusted user. If the noise comes from Claude Code's --dangerously-skip-permissions mode, disable that mode through managed settings. Sophos calls this an early read, not a verdict, and notes the shift is still small even if the direction is clear. The open policy question is what a coding agent should be allowed to touch on an endpoint at all, and credential stores are a sensible place to draw the first line. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Security, Behavioral Detection, Credential Security, Cyber Defense, Developer Security, EDR, endpoint security, Living off the Land, Threat Detection, Windows Security ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls

Indicators of Compromise

  • malware — certutil
  • malware — bitsadmin

Entities

Claude Code (product)Cursor (product)OpenAI Codex (product)Sophos (vendor)DPAPI (technology)PowerShell (technology)