AI Coding Agents Trip Attack Detection Rules: Sophos

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Sophos analyzed seven days of Windows endpoint telemetry from June 2026 and found AI coding agents — Claude Code, Cursor, and OpenAI Codex — setting off detection rules built to catch human intruders, with credential access at 56.2% of blocked activity and execution at 28.8%.
- The largest single rule (42.6% of credential-access alerts) fires when a process uses Windows' DPAPI to decrypt browser credentials — caught running under Claude Code via the widely used GStack /browse skill pack, which performs browser automation on the user's behalf.
- Claude Code was also observed running with the --dangerously-skip-permissions flag — a mode Anthropic's own documentation warns against — while using cmdkey /list to enumerate Windows Credential Manager; administrators can block the flag through managed settings.
- OpenAI Codex demonstrated pivot-when-blocked behavior by trying to fetch a Python installer from python.org with certutil, getting blocked, then switching to bitsadmin — both legitimate Windows utilities that attackers routinely abuse as living-off-the-land binaries.
- Cursor tripped a persistence detection rule by using PowerShell to drop a startup-folder script, the kind of behavior defenders flag on sight even when the underlying intent is ordinary development work.
- An attacker used Claude Opus 4.5 to coordinate building and testing malware against EDR products in a case Sophos documented a month earlier, illustrating that the same behavioral surface — credential access, LOLBin downloads, startup writes — now cuts both ways between benign and malicious agents.
- CrowdStrike's 2026 Global Threat Report found 82% of 2025 detections were malware-free, the underlying industry shift to behavior-based detection that AI coding agents are now crowding with their own legitimate activity.
Why it matters: Developers running AI coding agents under their own accounts will see endpoint alerts on routine work, forcing security teams to scope rules by parent process (claude.exe, cursor.exe). Credential access is the line to hold, per Sophos: agents shouldn't inherit blanket credential-store access, and --dangerously-skip-permissions should be disabled through managed settings.




