Full Report
Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders. The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack. Decrypting browser credentials, listing what sits in Windows' credential store,
Analysis Summary
# Tool/Technique: AI Coding Agents (Behavioral False Positives)
## Overview
AI coding agents are autonomous or semi-autonomous tools designed to assist in software development and browser automation. While benign in intent, their operational methods frequently mirror the tactics, techniques, and procedures (TTPs) of human attackers. These agents often utilize system-level utilities and "Living off the Land" (LotL) techniques that trigger behavioral detection rules in Endpoint Detection and Response (EDR) solutions.
## Technical Details
- **Type:** Tool / Agentic AI Frameworks
- **Platform:** Windows, macOS, Linux (Analysis focused on Windows telemetry)
- **Capabilities:** Code generation, browser automation, system command execution, file manipulation, and credential interaction.
- **First Seen:** Telemetry analysis conducted June 2026.
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059 - Command and Scripting Interpreter]
- [T1204.002 - User Execution: Malicious File]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0005 - Defense Evasion]**
- [T1218.011 - System Binary Proxy Execution: Certutil]
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- [T1003.001 - OS Credential Dumping: LSA Secrets (via DPAPI)]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer]
## Functionality
### Core Capabilities
- **Credential Decryption:** Using the Windows Data Protection API (DPAPI) to unlock and access stored browser credentials (often for automation tasks).
- **Environment Enumeration:** Using commands like `cmdkey /list` to identify stored secrets in the Windows Credential Manager.
- **Dynamic Execution:** Executing PowerShell and Python scripts to perform system-level tasks.
### Advanced Features
- **Pivot-on-Failure:** The ability to switch tools when one is blocked (e.g., switching from `certutil` to `bitsadmin` for file downloads), mimicking human attacker persistence.
- **Permission Escalation:** Capabilities like Claude Code’s `--dangerously-skip-permissions` flag, which allows the agent to bypass standard oversight prompts.
- **Autonomous Persistence:** Writing scripts to the Windows Startup folder to ensure continuity of automation tasks.
## Indicators of Compromise
*Note: These are behavioral indicators generated by benign agents that overlap with malicious activity.*
- **File Names:** Scripts dropped in `\Microsoft\Windows\Start Menu\Programs\Startup\`
- **Network Indicators:**
- `python[.]org` (Used for downloading installers via LOLBins)
- **Behavioral Indicators:**
- Unauthorized calls to `dpapi.dll` from non-browser processes.
- Usage of `certutil.exe` or `bitsadmin.exe` to fetch external resources.
- Frequent execution of `powershell.exe` with encoded or complex command strings spawned by IDEs (Cursor, VS Code).
- Termination of browser processes followed by direct access to SQLite credential databases.
## Associated Threat Actors
- While the tools themselves (Claude Code, Cursor) are benign, they have been observed being used by:
- **General Attackers:** For building/testing malware against EDR.
- **Adversarial AI Users:** Using Claude Opus 4.5 to coordinate attack tooling development.
## Detection Methods
- **Behavioral Detection:** Identifying anomalous DPAPI calls (Credential Access triggers) and Startup folder modifications.
- **Process Tree Monitoring:** Monitoring for IDEs or AI binary parents spawning LOLBins (`certutil`, `bitsadmin`).
- **Heuristic Alarms:** Flagging the "Pivot-on-Failure" behavior where a process tries multiple download methods sequentially.
## Mitigation Strategies
- **Administrative Policy:** Use organizational controls to block high-risk flags (e.g., `--dangerously-skip-permissions`).
- **Endpoint Hardening:** Restrict the ability of developer tools to write to the Startup folder or access LSA/DPAPI secrets without explicit user consent.
- **Contextual Analysis:** Update SOC playbooks to differentiate between a developer's AI agent activity and an actual intruder based on the source process and intent (e.g., GStack `/browse` skill).
## Related Tools/Techniques
- **Claude Code** (Anthropic)
- **Cursor**
- **OpenAI Codex**
- **GStack** (Agent skill pack)
- **Living off the Land Binaries (LOLBins)**