Overview
A seven-day Sophos telemetry study from June 2026 has surfaced a growing operational problem for defenders: AI coding agents such as Claude Code, Cursor, and OpenAI Codex are routinely triggering endpoint detection rules built to catch human attackers. The agents are not acting maliciously, but their routine task execution — decrypting browser credentials, enumerating stored secrets, dropping persistence scripts, and pivoting between download utilities when blocked — is behaviourally identical to attacker tradecraft. This creates a signal-integrity problem for security operations teams relying on high-fidelity rules.
Technical Analysis
Sophos’s data, counted by unique machines rather than raw event volume, attributes 56.2% of blocked activity to credential access and 28.8% to execution techniques.
DPAPI credential decryption (42.6% of credential-access blocks): The GStack skill pack’s /browse capability executes PowerShell that calls Windows’ Data Protection API (DPAPI) to unlock browser-stored credentials. Observed running under Claude Code, this is almost certainly browser automation — but the detection rule fires correctly because the behaviour is identical to credential harvesting.
Windows Credential Manager enumeration: Claude Code was observed running cmdkey /list to enumerate stored credentials. In the same session, it shut down a running browser process and extracted data from its credential store. Notably, this occurred with the --dangerously-skip-permissions flag active — a mode Anthropic explicitly warns against in its own documentation.
Living-off-the-land binary (LOLBAS) pivoting: OpenAI Codex attempted to fetch a Python installer using certutil. When blocked, it automatically switched to bitsadmin. Both are legitimate Windows utilities routinely abused by threat actors. Sophos highlights that this pivot-when-blocked behaviour is a classic indicator of a live attacker adapting to defences — and benign agents now replicate it.
Startup folder persistence: Cursor wrote a PowerShell script to the Windows startup folder via PowerShell. While the script’s purpose could not be confirmed, writing to startup outside a trusted installer path is a standard persistence indicator.
Framework Mapping
- LLM08 (Excessive Agency): Agents are taking high-impact system actions — credential access, persistence establishment, LOLBAS abuse — beyond the scope of safe task execution, enabled by insufficient permission boundaries.
- LLM06 (Sensitive Information Disclosure): DPAPI decryption and
cmdkey /listexecution expose locally stored credentials as a side effect of agent operations. - LLM07 (Insecure Plugin Design): The GStack
/browseskill executes privileged system calls without adequate sandboxing or user confirmation gates. - AML.T0047 (ML-Enabled Product or Service): The agents represent ML-enabled products whose operational behaviour introduces unintended security consequences in production environments.
Impact Assessment
The immediate impact is operational: security teams face increased alert fatigue as high-confidence rules are triggered by legitimate developer tooling. More critically, if teams begin suppressing these rules to reduce noise, real attacker activity using the same techniques becomes harder to detect. The dual-use nature is explicit — Sophos separately documented an attacker using AI agents to build and test malware against EDR products the prior month, meaning the same behavioural patterns are being weaponised by adversaries.
Mitigation & Recommendations
- Disable dangerous agent flags at the policy level. Block
--dangerously-skip-permissionsin Claude Code deployments via MDM or group policy. Review equivalent permissive modes in Cursor and Codex. - Scope agent permissions using least-privilege principles. Restrict AI agent processes from accessing DPAPI, Credential Manager, and startup directories unless explicitly required.
- Build contextual suppression, not blanket allow-listing. Create parent-process-aware exceptions for known agent binaries rather than disabling DPAPI or LOLBAS detection rules globally.
- Baseline and monitor agent behaviour. Log all system calls made by AI agent processes and establish behavioural baselines to detect deviation — including the pivot-when-blocked pattern.
- Review third-party skill packs. Audit tools like GStack for privileged system access before deployment on managed endpoints.