Connect with us

AI

AI Coding Agents Are Setting Off EDR Rules Built for Attackers

AI coding agents are tripping the EDR rules built to catch attackers, Sophos finds. The signal now comes from helpers, hijacked agents, and humans.

Published

on

Sophos X-Ops spent a week watching Claude Code, Cursor, and Codex on Windows endpoints, and all three AI coding agents tripped the same endpoint detection and response (EDR) rules built to catch human attackers. The seven-day telemetry study, published in early July 2026, frames the resulting signal as benign on intent yet indistinguishable on behavior from an active adversary. Sophos says the shift is small for now, yet the direction is clear.

The activities that triggered alerts are routine coding work: decrypting browser credentials for session automation, listing what is in Windows Credential Manager, fetching a Python installer with certutil, writing a helper into the startup folder. Sophos’s CIXA behavioral engine caught each one the way it would catch an attacker. Three cases stand out from the report. Each sits inside a category defenders have spent a decade writing rules around: credential access and execution.

A Week of Telemetry, All on Windows

Sophos published the report in early July 2026, and the data is narrow on purpose: seven days of telemetry from the company’s CIXA behavioral engine on Windows, measured by unique machine count rather than raw event volume. The framing is the MITRE ATT&CK matrix, the public catalog of adversary techniques that EDR vendors map their detections against. The telemetry comes from customer environments running Claude Code, Cursor, and Codex in ordinary development workflows, captured in the seven-day Windows telemetry study. Sophos makes clear that the goal is not to call the activity malicious but to show that existing behavioral protections are working exactly as designed.

Credential access dominated the blocking-rule distribution, with execution running second. Defense evasion and command-and-control categories appeared more prominently in the silent, non-blocking rule distribution, which captures activity the engine considers worth tracking and grouping. The takeaway is that AI agents are now generating the same high-signal patterns defenders came to rely on, just for different reasons.

The chart below breaks the blocking hits by MITRE tactic and shows the top rule Sophos examined in each bucket. The numbers are unique machines, not raw alerts.

MITRE ATT&CK tactic Share of blocking hits Top rule triggered What it caught
Credential Access (TA0006) 56.2% of blocks Creds_3b (DPAPI browser credential decryption) Claude Code’s GStack /browse running PowerShell to unlock saved browser data
Execution (TA0002) 28.8% of blocks Exec_5a (bitsadmin download) OpenAI Codex pivoting from certutil to bitsadmin to fetch the python.org installer
Defense Evasion (TA0005) Prominent in silent-rule distribution Exec_16a (PowerShell string-formatting) AI agents generating PowerShell with command-line patterns that match an old obfuscation signature

How Three Familiar Agents Tripped the Rules

Three of the cases in the report stand out. Each involved a legitimate task. Each produced the kind of telemetry an attacker would.

In the first case, Claude Code was running a GStack skill called /browse, which automates a Chromium browser session. The activity tree runs from bash through browse.exe and node.exe and into a PowerShell process that calls the Windows Data Protection API, or DPAPI, to decrypt the browser’s stored credentials. The rule Sophos calls Creds_3b fired on that exact pattern, and the data confirms the chain: PowerShell decrypting browser credentials is exactly what the rule exists to block. In context, the activity is almost certainly benign, since the agent is automating a browser session on the user’s behalf.

The second case involved Cursor, which used a PowerShell script to write a VBScript file into the Windows startup folder. The rule, Persist_2a, blocked the action before the VBScript could land. The script’s filename pointed to an application called EZConvert, though Sophos could not confirm its purpose because the script contents were not available.

The third case was OpenAI Codex, which tried to download a Python installer from python.org. It began with certutil.exe and a /urlcache /split /f flag pattern, which Sophos’s Lateral_1b rule blocked. Several variations on the same command were also blocked. The agent pivoted to bitsadmin.exe with a /transfer /download /priority normal flag, blocked by Exec_5a. The download target was harmless, a real installer from a legitimate site, but the pivot-when-blocked behavior is what separates a live attacker from a static script, and Sophos notes that benign AI agents now do it routinely. The agent reached for these tools unprompted, and when one was blocked, it switched to the next one.

  • Claude Code under GStack /browse: PowerShell called DPAPI to decrypt browser credentials. Blocked by Creds_3b.
  • Cursor: PowerShell dropped a VBScript into the Windows startup folder. Blocked by Persist_2a.
  • OpenAI Codex: certutil pivoted to bitsadmin to fetch the python.org installer. Blocked by Lateral_1b, then Exec_5a.

Behavior Was Already the Signal Defenders Relied On

Defenders did not stumble into behavioral detection by accident. The 2026 report on adversary tradecraft found 82% of detections in 2025 were malware-free, up from 51% in 2020. Adversaries had moved through valid credentials, trusted identity flows, and approved SaaS integrations, with the average eCrime breakout time at 29 minutes and the fastest observed at 27 seconds.

That shift is what pushed the industry toward behavior-based detection. When attackers stopped dropping files, defenders had to watch the commands, the processes, and the parent-child relationships between them. EDR vendors built their rule sets around attacker tradecraft, with each detection written to fire on a known adversary pattern. The rules were tuned to catch credential reads, LOLBin downloads, and writes to startup folders. They were the right rules for a decade of malware-free intrusions.

AI coding agents now generate that same tradecraft for ordinary work. The same PowerShell pattern that unlocks browser credentials for a session automation also runs in hands-on-keyboard intrusions. The same certutil /urlcache flag pattern fetches a Python installer for a coding agent and a payload for a staged attack. Writing a VBScript into the Windows startup folder can persist a developer helper or install a backdoor, depending on whose command line fired the action. CrowdStrike recorded an 89% increase in the volume of attacks by AI-enabled adversaries in 2025, and Sophos’s new telemetry shows AI helpers producing the same activity in the same places.

  • 29 minutes: average eCrime breakout time in 2025
  • 27 seconds: fastest observed eCrime breakout time in 2025
  • 89% increase in attack volume from AI-enabled adversaries in 2025 versus 2024

The Same Fingerprint Now Comes from Three Sources

One of those three places is attack tooling, and Sophos already documented it. A month before the new telemetry report, the company published research on a threat actor who used AI agents to build a malware-testing lab, detailed in research on a malware lab that tested EDR evasion. A Claude Opus 4.5 agent coordinated the work, with additional agents handling EDR testing, documentation, OPSEC hardening, and virtual machine deployment. The lab used several Windows Server 2022 virtual machines to test payloads against Sophos, CrowdStrike, and Microsoft Defender. Sophos linked the framework to ransomware deployment and data theft, though the company did not name the group.

That research is separate from the new telemetry, but the surface is identical. Browser credential calls, LOLBin downloads, and startup writes all show up. The fingerprint can come from a legitimate developer’s Claude Code, from an attacker’s Claude Opus 4.5 in a malware lab, or from an attacker who has hijacked a coding agent through poisoned inputs. The raw action no longer tells the defender who is on the other end. Sophos calls its new findings a first-pass, short signal dump, and notes the shift is still small even if the direction is clear.

What Detection Engineering Looks Like Next

Sophos’s recommendation is to split the rule set by what each rule catches. Execution noise from an agent retrying a download or generating oddly formatted PowerShell can usually be scoped. The fix is to key detections to the parent process, claude.exe or cursor.exe, and their child processes, then narrow to the agent’s workspace, its temp path, and the reputation of the download target.

Credential-touching behavior is where the line holds. Decrypting browser credentials or enumerating Credential Manager does not become safe because an agent did it instead of a person. An agent should not inherit blanket access to credential stores just because it runs under a trusted user. Some rules need to keep firing no matter who initiated the action, because the activity itself is the risk.

Some of the activity is genuinely suspicious regardless of who initiated it. PowerShell decrypting browser credentials, dumping Credential Manager entries, writing to startup folders, cycling through LOLBin download methods, these are things defenders flag for good reason. The fact that an AI agent did them does not make them safe.

For the –dangerously-skip-permissions flag in Claude Code, the fix is administrative and applies through managed settings. Anthropic’s own documentation warns against the mode and tells administrators how to block it. The discipline that worked for a year of malware-free intrusions will work here too, as outlined in how AI agents drift in production and other recent reporting on agent failure modes.

The Open Policy Question

The harder question sits on the policy side, and Sophos asks it directly. What should an agent be permitted to do on an endpoint, and what boundaries should be enforced? The blog is open that further monitoring, assessment, and tuning will be required. Operators are rolling out agents faster than they can govern them, a pattern visible in companies rolling out AI agents faster than governance.

The question becomes how aggressively the EDR community can keep up and maintain these rules and detection tweaks to achieve acceptable false positive rates.

Scott Miserendino, Chief Technology Officer at DataBee, says he was not surprised by the findings, since endpoint detection vendors have long dealt with legitimate software that behaves like attackers. He pushed back on the framing that this is a new problem, pointing to the combination of process tracking, behavioral analysis, and whitelisting vendors have used for years. The harder question, he argued, is whether the EDR community can keep up as AI agents become more capable. He also pointed to an upside, namely that whitelisted agents still leave behavioral patterns that are useful telemetry for security teams. Those patterns, he said, can reveal AI use even when users or attackers are trying to hide it from policy enforcement.

Frequently Asked Questions

What is GStack in the context of AI coding agents?

GStack is what Sophos calls a widely adopted AI agent skill pack that adds extra capabilities to coding agents like Claude Code. One of its built-in skills, /browse, connects the agent to a Chromium daemon for browser automation. Sophos caught a Claude Code instance running GStack /browse and using PowerShell to decrypt browser credentials via the Windows Data Protection API. The activity was almost certainly benign on intent, since the agent was automating a browser session for the user. To the EDR engine, though, the PowerShell pattern is exactly what the rule exists to catch.

Are AI coding agents actually malicious?

No. Sophos is explicit that the activity the telemetry caught is not malicious. The point of the report is that the behavioral pattern overlaps with attacker tradecraft. PowerShell decrypting browser credentials, cmdkey /list, certutil /urlcache, bitsadmin /transfer, and writes to the startup folder are all things a coding agent might do for legitimate reasons and an attacker might do for the same reason. Sophos’s view is that the rules are right to fire either way.

What is –dangerously-skip-permissions?

It is a Claude Code command-line flag that bypasses the agent’s normal permission checks. Anthropic’s own documentation warns against the mode and tells administrators how to block it. Sophos’s telemetry caught Claude Code running with the flag set, which led the agent to invoke cmdkey /list and to read browser credential stores. Sophos’s recommendation is to disable the mode through managed settings rather than relying on detection.

Will whitelisting AI agents create a new attack surface?

That is the open policy question Sophos raises. The same fingerprint a developer’s Claude Code leaves behind can also be left by a hijacked agent or by an attacker’s malware. DataBee CTO Scott Miserendino notes that the behavioral patterns, even if whitelisted, can still serve as useful telemetry. The pattern is a signal of AI use even when users or attackers try to hide that AI was involved in the first place.

What should I do if I run these agents in my environment?

Sophos recommends splitting the rule set. Scope execution noise to the agent’s parent process and workspace, and key detections to the reputation of the download target. Hold the line on credential access: an agent should not have blanket access to credential stores. Disable –dangerously-skip-permissions through managed settings. Audit the policy question of what an agent should be allowed to touch on the endpoint at all, with credential stores a sensible place to draw the first line.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending