- AI coding agents like Claude Code, Cursor, and OpenAI Codex are triggering endpoint detection rules designed for human attackers, according to a seven-day Sophos telemetry analysis.
- Credential access accounted for 56.2% of blocked activity, with agents using Windows’ DPAPI to decrypt browser credentials—mimicking credential theft.
- Agents also pivot when blocked, using legitimate tools like certutil and bitsadmin, behavior that now blurs the line between benign automation and live attacks.
- CrowdStrike’s 2026 Global Threat Report found 82% of 2025 detections were malware-free, a shift that makes AI-generated behavioral noise a growing challenge for defenders.
Sophos analyzed a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders. The agents are not malicious but perform actions that, to a behavioral engine, look exactly like an attack. Decrypting browser credentials, listing Windows’ credential store, and writing to the startup folder have long been high-signal indicators for defenders.
According to Sophos’s analysis, credential access comprised 56.2% of blocked activity, while execution made up 28.8%. The biggest credential-access rule, at 42.6% of that group, fires when a process uses Windows’ DPAPI to decrypt stored browser data. Sophos caught this behavior running under Claude Code, likely as browser automation on the user’s behalf. In another instance, Claude Code shut down the running browser and pulled data from its credential store, and separately ran cmdkey /list to enumerate Windows Credential Manager entries—using the –dangerously-skip-permissions flag.
When one approach fails, agents try another. OpenAI Codex fetched a Python installer from python.org using certutil, then switched to bitsadmin when blocked. Both are legitimate Windows utilities abused by attackers. Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script, a classic persistence technique. Sophos notes that this pivot-when-blocked behavior now occurs with benign agents, mirroring live attackers.
The challenge is broader. A month earlier, Sophos documented an attacker using AI agents to build and test malware against EDR products. Meanwhile, CrowdStrike’s 2026 Global Threat Report found 82% of 2025 detections were malware-free, with attackers using valid credentials and trusted tools. AI agents now generate the same behavioral signals for ordinary reasons, crowding the signal defenders rely on.
Sophos recommends scoping rules to agent parent processes and workspace paths, while holding the line on credential-touching behavior. Developers should disable the –dangerously-skip-permissions mode through managed settings. The open policy question remains: what should a coding agent be allowed to touch on an endpoint at all?
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
