Cyber Security

Discovered AI Coding Agents Triggering Perfect Point Security Rules Designed to Catch Attackers

Sophos looked at a week of its own data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex set detection rules written to catch intruders.

Agents are cruelty free. They just do a lot of things, in the behavior engine, it looks like an attack.

Decrypts browser information, lists what resides in the Windows authentication store, pulls down files with built-in program tools, writes to the startup folder: these have long been top marks for defenders.

What has changed is who produces it. In the machines Sophos looked at, it was often the engineer’s AI assistant who did the mundane work.

What set off the alarms

The analysis takes seven days of telemetry from June 2026, taken from Sophos’ behavior engine on Windows and calculated by unique devices, not raw event volume. It’s a small window into a single vendor’s fleet, not a census of the industry.

Sophos’ charts put authentication access at 56.2 percent of blocked activity and execution at 28.8 percent: agents accessing stored secrets, or using code the way attackers do.

The largest credential access rule, at 42.6 percent of that group, fires when a process uses Windows’ built-in Data Protection API, or DPAPI, to decrypt the browser’s stored credential data. Sophos calls GStack a widely accepted skills package for coding agents.

Its /browser capability does just that, using PowerShell that calls DPAPI to open cached browser data. Sophos held it under the Claude Code. In context, it’s probably the default browser on behalf of the user. In the engine that sees it, it is theft of information, and the law is right to shoot.

Some Python examples looked pretty bad on paper. In one instance, Code Claude closed a running browser and ran a script that extracted data from its authentication store.

Separately, run cmdkey /list to list the credentials that Windows Credential Manager has. Sophos notes that the Claude Code here worked with the –expire-permissions flag set, a mode Anthropic’s documentation warns about and tells administrators how to block.

When one method fails, the agent tries another. The OpenAI Codex did just that, downloading the Python installer from the actual python.org, starting with certutil. That’s blocked, so switch to bitsadmin. Both are legitimate Windows utilities that attackers often misuse to pull payloads, live in the world.

The target wasn’t dangerous, but Sophos’ point is that this pivot-when-blocked behavior is what separates a live attacker from a static script, and good agents now do it too.

The cursor tripped the persistence rule by using PowerShell to drop a startup folder script that runs every time the machine is started. Sophos couldn’t confirm what the script did, but scripting a startup without a trusted installer is the kind of thing security guards raise the alarm about when they see it.

AI agents on both sides of the line

The flip side is already apparent. A month earlier, Sophos documented an attacker using AI agents to build and test malware on EDR products, one of which used Claude Opus 4.5 to coordinate the operation.

That was the time for optimization: agents help the attacker to write better tools. Agents are opened by their users at runtime, too. In one case, the researchers showed a code agent could be tricked into running an attacker’s code by using poisoned input, a chain that could pass to EDR because the agent is running inside a trusted user session.

These are separate events with different firing rules, but they share more: browser authentication calls, LOLBin downloads, and initial writes now come from good agents, running agents, and hackers.

That’s why the raw action tells you less than before. And it sits within a major shift in what intervention looks like. CrowdStrike’s 2026 Global Threat Report found that 82 percent of 2025 detections were malware-free, with attackers going with valid credentials and trusted tools instead of dumping files.

That change is what drove the adoption of the behavior in the first place. AI agents now produce the same behavior for common reasons, drowning out the signal defenders would rely on.

What it means for defenders

If developers run these agents under their own accounts, expect the repository rules to explode on their machines. Sophos’ answer is to differentiate the rules by what they hold. Execution noise from an agent retrying to download or extract an oddly formatted PowerShell can often be checked.

Lock the rule on the agent’s parent process (claude.exe, cursor.exe, and their child processes), its workspace or temporary path, or the reputation of the download target. That prevents a known agent doing routine work from generating alerts.

Detail-oriented behavior is where you draw the line. Decrypting a browser’s credentials or enumerating an Authentication Manager is not safe because an agent does so on behalf of a human, and an agent should not inherit blanket access to information stores simply because it is running under a trusted user. If the sound comes from Claude –dangerously-skip-permissions permissions mode, disable that mode in managed settings.

Sophos calls this an early reading, not a decision, and notes that change is still small even if the direction is clear. An open policy question is what code agents should be allowed to touch on the endpoint, and authentication stores are a logical place to draw the first line.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button