Abstract editorial illustration of an AI coding agent running through a network of glowing endpoint detection rules, navy and teal palette, no humans, no readable text.

Coding agents set off EDR rules built for intruders, Sophos finds

AIntelligenceHub
··5 min read

Sophos telemetry from June 2026 shows Claude Code, Cursor, and OpenAI Codex triggering credential access and execution rules on developer machines. Credential access made up 56.2 percent of the blocked activity.

A week of Sophos telemetry shows AI coding agents setting off endpoint detection rules that defenders have spent years tuning to catch human intruders. The agents are doing ordinary work that, to a behavioral engine, looks exactly like an attack: decrypting browser credentials, listing the Windows credential store, and writing to the startup folder. What changed in June 2026 is who is generating them.

The new analysis from Sophos's Counter Threat Unit, published in The Hacker News on July 8, 2026, is a narrow window on one vendor's fleet. It draws on seven days of telemetry from Sophos's behavioral engine on Windows, counted by unique machines rather than raw event volume. Credential access made up 56.2 percent of the blocked activity, with execution at 28.8 percent. The biggest credential-access rule, at 42.6 percent of that group, fires when a process uses Windows' Data Protection API (DPAPI) to decrypt the browser's stored credential data.

What the coding agents were doing

Sophos's analysts point to GStack, a widely adopted skill pack for coding agents. Its `/browse` skill runs PowerShell that calls DPAPI to decrypt saved browser data, and Sophos caught it running under Claude Code. In context, it is almost certainly browser automation on the user's behalf. To the detection engine, it is credential theft, and the rule is right to fire.

In one of the more striking Python examples, Claude Code shut down the running browser and ran a script that pulled data from its credential store. Separately, it ran `cmdkey /list` to enumerate the credentials Windows Credential Manager was holding. Sophos notes that Claude Code here ran with its `--dangerously-skip-permissions` flag set, a mode Anthropic's own documentation warns against and tells administrators how to block.

OpenAI Codex followed the same pattern with a different toolchain. When one approach failed, it tried another: fetching a Python installer from the real python.org, starting with `certutil`. That was blocked, so it switched to `bitsadmin`. Both are legitimate Windows utilities that attackers routinely abuse to pull payloads, living off the land. The target was harmless. Sophos's point is that pivot-when-blocked behavior is what separates a live attacker from a static script, and benign agents now do it too.

Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script that would run every time the machine booted. Sophos could not confirm what the script did, but writing to startup outside a trusted installer is the kind of thing defenders flag on sight. The behavior is the same shape as a known persistence pattern, and the rule fired. Coding agent vendors are beginning to ship protection around this. Radware added Claude Code protection and agent compliance reports on July 7, 2026, which is one of the first enterprise-grade answers to the same set of behaviors Sophos is now seeing at the rule layer.

The collision with behavior-based EDR detection

The endpoint security community has spent several years pivoting away from file-based detection and toward behavior. The 2026 CrowdStrike Global Threat Report put the share of malware-free detections at 82 percent across 2025, with attackers moving through valid credentials and trusted tools instead of dropping files. That shift is what pushed detection toward behavior in the first place. AI coding agents now generate the same behavior for ordinary reasons, crowding the exact signal defenders came to rely on.

The flip side is already visible. A month earlier, Sophos documented an attacker who used AI agents to build and test malware against EDR products, with one of them running Claude Opus 4.5 to coordinate the work. That was development-time, with agents helping an attacker write better tooling. In a separate case, researchers showed a coding agent could be tricked into running attacker code through poisoned inputs, a chain that can slip past EDR because the agent is acting inside the user's trusted session. These are separate events with different rules firing, but they share a surface: browser credential calls, LOLBin downloads, and startup writes now come from benign agents, attacker-run agents, and hijacked agents. The raw action tells you less than it once did.

Rule changes that hold the line on coding agents

Sophos's answer is to split the rules by what they catch. Execution noise from an agent retrying a download or emitting oddly formatted PowerShell can usually be scoped. Key the rule to the agent's parent process (claude.exe, cursor.exe, and their child processes), its workspace or temp path, or the reputation of the download target. That stops a known agent doing ordinary work from generating alerts on every keystroke.

Credential-touching behavior is where you hold the line. Decrypting browser credentials or enumerating Credential Manager does not become safe because an agent did it instead of a person, and an agent should not inherit blanket access to credential stores just because it runs under a trusted user. If the noise comes from Claude Code's `--dangerously-skip-permissions` mode, disable that mode through managed settings. Sophos calls this an early read rather than a verdict, and the analyst notes the shift in absolute numbers is still small even if the direction is clear.

The open policy question is what a coding agent should be allowed to touch on an endpoint at all, and credential stores are a sensible place to draw the first line. For teams rolling these tools out to developer populations, the practical answer is to scope execution rules aggressively, gate credential access through explicit grants, and block the `--dangerously-skip-permissions` flag at the policy layer. The same guidance applies to the broader agent security stack that ships as part of our enterprise AI governance checklist, where credential stores are already the most common starting point for an attacker who has landed inside a developer's session. The endpoint security community has been here before with browsers and remote shells. Coding agents are the next category where benign behavior looks like attacker behavior at the rule layer, and the right response is the same one that worked before: make the rule aware of the parent process. Detection engineers who tune endpoint rules for a living will recognize the shape of the problem. The shape is familiar even if the actor is new, and the long-term answer is the same one the community already reached for browsers and remote shells years ago.

Weekly newsletter

Get a weekly summary of our most popular articles

Every week we send one email with a summary of the most popular articles on AIntelligenceHub so you can stay up-to-date on the latest AI trends and topics.

One weekly email. No sponsored sends. Unsubscribe when you want.

Comments

Every comment is reviewed before it appears on the site.

Comments stay pending until review. Posts with more than two links are held back.

Related articles