Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

https://firewall.firm.in/wp-content/uploads/2026/07/alarm.jpg

Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders.

The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack.

Decrypting browser credentials, listing what sits in Windows’ credential store, pulling files down with built-in system tools, writing to the startup folder: these have long been high-signal to defenders.

What has changed is who is generating it. On the machines Sophos watched, it was often a developer’s AI assistant going about ordinary work.

What set the alarms off

The analysis draws on seven days of telemetry from June 2026, taken from Sophos’s behavioral engine on Windows and counted by unique machines, not raw event volume. It is a narrow window on one vendor’s fleet, not an industry census.

Sophos’s charts put credential access at 56.2 percent of the blocked activity and execution at 28.8 percent: agents reaching for stored secrets, or running code the way attackers do.

The biggest credential-access rule, at 42.6 percent of that group, fires when a process uses Windows’ built-in Data Protection API, or DPAPI, to decrypt the browser’s stored credential data. Sophos calls GStack a widely adopted skill pack for coding agents.

Its /browse skill does exactly that, running PowerShell that calls DPAPI to unlock saved browser data. Sophos caught it running under Claude Code. In context, it is almost certainly browser automation on the user’s behalf. To the detection engine, it is credential theft, and the rule is right to fire.

Some Python examples looked worse on paper. In one instance, Claude Code shut down the running browser and ran a script that pulled data from its credential store.

Separately, it ran cmdkey /list to enumerate the credentials Windows Credential Manager was holding. Sophos notes that Claude Code here ran with its –dangerously-skip-permissions flag set, a mode Anthropic’s own documentation warns against and tells administrators how to block.

When one approach fails, an agent tries another. OpenAI Codex did just that, fetching a Python installer from the real python.org, starting with certutil. That was blocked, so it switched to bitsadmin. Both are legitimate Windows utilities that attackers routinely abuse to pull payloads, living off the land.

The target was harmless, but Sophos’s point is that this pivot-when-blocked behavior is what separates a live attacker from a static script, and benign agents now do it too.

Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script that would run every time the machine booted. Sophos could not confirm what the script did, but writing to startup outside a trusted installer is the kind of thing defenders flag on sight.

AI agents on both sides of the line

The flip side is already visible. A month earlier, Sophos documented an attacker who used AI agents to build and test malware against EDR products, one of them running Claude Opus 4.5 to coordinate the work.

That was development-time: agents helping an attacker write better tooling. Agents get turned on their own users at runtime, too. In a separate case, researchers showed a coding agent could be tricked into running attacker code through poisoned inputs, a chain that can slip past EDR because the agent is acting inside the user’s trusted session.

These are separate events with different rules firing, but they share a surface: browser credential calls, LOLBin downloads, and startup writes now come from benign agents, attacker-run agents, and hijacked agents.

That is why the raw action tells you less than it once did. And it sits inside a bigger change in how intrusions look. CrowdStrike’s 2026 Global Threat Report found 82 percent of 2025 detections were malware-free, with attackers moving through valid credentials and trusted tools instead of dropping files.

That shift is what pushed detection toward behavior in the first place. AI agents now generate the same behavior for ordinary reasons, crowding the exact signal defenders came to rely on.

What it means for defenders

If developers run these agents under their own accounts, expect endpoint rules to fire on their machines. Sophos’s answer is to split the rules by what they catch. Execution noise from an agent retrying a download or emitting oddly formatted PowerShell can usually be scoped.

Key the rule to the agent’s parent process (claude.exe, cursor.exe, and their child processes), its workspace or temp path, or the reputation of the download target. That stops a known agent doing ordinary work from generating alerts.

Credential-touching behavior is where you hold the line. Decrypting browser credentials or enumerating Credential Manager does not become safe because an agent did it instead of a person, and an agent should not inherit blanket access to credential stores just because it runs under a trusted user. If the noise comes from Claude Code’s –dangerously-skip-permissions mode, disable that mode through managed settings.

Sophos calls this an early read, not a verdict, and notes the shift is still small even if the direction is clear. The open policy question is what a coding agent should be allowed to touch on an endpoint at all, and credential stores are a sensible place to draw the first line.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket