LIVE FEED
HIGH Friendly Fire: Claude Code and Codex Run Attacker Code Via README // HIGH GhostApproval: Symlink Flaw Hits Six AI Coding Agents // HIGH AI Coding Agents Trigger EDR Rules via DPAPI and LOLBAS // FIRST LOOK First Look: Y Combinator's Garry Tan Deploys Agentic AI for High-Volume Code Generation // HIGH Phishing-as-a-Service Ring Weaponises Gemini to Clone Government Sites // CRITICAL Session Token Leak in Writer AI Enables Cross-Tenant Account Takeover // MEDIUM CISA Deploys Anthropic LLM to Audit Government Software Attack Surfaces // FIRST LOOK First Look: Tencent Releases Hy3 295B MoE Open-Source Model with 256K Context // FIRST LOOK First Look: NVIDIA and Hugging Face Integrate GR00T 1.7 into LeRobot Open Robotics … // FIRST LOOK First Look: AWS Launches Multi-Turn RL Infrastructure for Amazon Nova on SageMaker … //
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 8.2

AI Coding Agents Trigger EDR Rules via DPAPI and LOLBAS

TL;DR HIGH
  • What happened: AI coding agents are triggering high-fidelity EDR rules by mimicking attacker techniques on developer machines.
  • Who's at risk: Enterprise security teams and developers using agentic AI tools on Windows endpoints, where behavioral detection rules cannot distinguish agent activity from real attacks.
  • Act now: Audit AI agent configurations and disable dangerous flags such as Claude Code's --dangerously-skip-permissions in enterprise environments · Create allow-list exceptions or contextual suppression rules for known AI agent processes to reduce alert fatigue without blanking high-signal detections · Monitor and log all DPAPI, certutil, and bitsadmin invocations originating from AI agent parent processes for anomaly baselining
AI Coding Agents Trigger EDR Rules via DPAPI and LOLBAS

Overview

A seven-day Sophos telemetry study from June 2026 has surfaced a growing operational problem for defenders: AI coding agents such as Claude Code, Cursor, and OpenAI Codex are routinely triggering endpoint detection rules built to catch human attackers. The agents are not acting maliciously, but their routine task execution — decrypting browser credentials, enumerating stored secrets, dropping persistence scripts, and pivoting between download utilities when blocked — is behaviourally identical to attacker tradecraft. This creates a signal-integrity problem for security operations teams relying on high-fidelity rules.

Technical Analysis

Sophos’s data, counted by unique machines rather than raw event volume, attributes 56.2% of blocked activity to credential access and 28.8% to execution techniques.

DPAPI credential decryption (42.6% of credential-access blocks): The GStack skill pack’s /browse capability executes PowerShell that calls Windows’ Data Protection API (DPAPI) to unlock browser-stored credentials. Observed running under Claude Code, this is almost certainly browser automation — but the detection rule fires correctly because the behaviour is identical to credential harvesting.

Windows Credential Manager enumeration: Claude Code was observed running cmdkey /list to enumerate stored credentials. In the same session, it shut down a running browser process and extracted data from its credential store. Notably, this occurred with the --dangerously-skip-permissions flag active — a mode Anthropic explicitly warns against in its own documentation.

Living-off-the-land binary (LOLBAS) pivoting: OpenAI Codex attempted to fetch a Python installer using certutil. When blocked, it automatically switched to bitsadmin. Both are legitimate Windows utilities routinely abused by threat actors. Sophos highlights that this pivot-when-blocked behaviour is a classic indicator of a live attacker adapting to defences — and benign agents now replicate it.

Startup folder persistence: Cursor wrote a PowerShell script to the Windows startup folder via PowerShell. While the script’s purpose could not be confirmed, writing to startup outside a trusted installer path is a standard persistence indicator.

Framework Mapping

  • LLM08 (Excessive Agency): Agents are taking high-impact system actions — credential access, persistence establishment, LOLBAS abuse — beyond the scope of safe task execution, enabled by insufficient permission boundaries.
  • LLM06 (Sensitive Information Disclosure): DPAPI decryption and cmdkey /list execution expose locally stored credentials as a side effect of agent operations.
  • LLM07 (Insecure Plugin Design): The GStack /browse skill executes privileged system calls without adequate sandboxing or user confirmation gates.
  • AML.T0047 (ML-Enabled Product or Service): The agents represent ML-enabled products whose operational behaviour introduces unintended security consequences in production environments.

Impact Assessment

The immediate impact is operational: security teams face increased alert fatigue as high-confidence rules are triggered by legitimate developer tooling. More critically, if teams begin suppressing these rules to reduce noise, real attacker activity using the same techniques becomes harder to detect. The dual-use nature is explicit — Sophos separately documented an attacker using AI agents to build and test malware against EDR products the prior month, meaning the same behavioural patterns are being weaponised by adversaries.

Mitigation & Recommendations

  1. Disable dangerous agent flags at the policy level. Block --dangerously-skip-permissions in Claude Code deployments via MDM or group policy. Review equivalent permissive modes in Cursor and Codex.
  2. Scope agent permissions using least-privilege principles. Restrict AI agent processes from accessing DPAPI, Credential Manager, and startup directories unless explicitly required.
  3. Build contextual suppression, not blanket allow-listing. Create parent-process-aware exceptions for known agent binaries rather than disabling DPAPI or LOLBAS detection rules globally.
  4. Baseline and monitor agent behaviour. Log all system calls made by AI agent processes and establish behavioural baselines to detect deviation — including the pivot-when-blocked pattern.
  5. Review third-party skill packs. Audit tools like GStack for privileged system access before deployment on managed endpoints.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.