# AI Coding Agents Trigger EDR: Claude Code, Cursor, Codex

> Source: <https://byteiota.com/ai-agents-trigger-endpoint-security/>
> Published: 2026-07-09 12:19:27+00:00

Sophos spent seven days watching behavioral telemetry from Windows endpoints running Claude Code, Cursor, and OpenAI Codex. The findings are uncomfortable: these tools triggered the same detection rules that catch ransomware operators. Not because the agents are malicious — but because, to a behavioral detection engine, malicious actors and AI coding assistants do a lot of the same things.

## The Numbers Are Not Small

Over a seven-day window in June 2026, [Sophos analyzed blocks and silent rule hits](https://www.sophos.com/en-us/blog/2607_agents_vs_telemetry) from its behavioral engine, counting by unique machines. Credential Access led active blocks at 56.2%, with Execution at 28.8%. Within credential access, 42.6% of blocks matched a single rule — Creds_3b — which fires when a non-browser process uses the Windows Data Protection API to decrypt stored browser credentials.

In the silent-rule telemetry (logged but not blocked), Evasion tactics led at 38.5%, followed by Command & Control at 34%. These are not edge cases. These are patterns your endpoint security is already watching.

## What Each Agent Actually Did

**Claude Code** drove most of the credential-access activity through GStack’s `/browse`

skill, which chains bash → browse.exe → node.exe → PowerShell, then calls DPAPI to unlock stored browser data. In separate sessions, it spawned `taskkill.exe`

to terminate browser processes, ran scripts named things like `decrypt_wp_pass.py`

, and executed `cmdkey.exe /list`

to enumerate the Windows Credential Manager. One detail worth noting: these sessions ran with the `--dangerously-skip-permissions`

flag, which suppresses user confirmation prompts and lets the agent act more autonomously. From a behavioral detection standpoint, an autonomous process harvesting credentials is not a gray area.

**OpenAI Codex** needed to download a Python installer from python.org — a legitimate source. It tried `certutil.exe -urlcache -split -f`

first. That was blocked by rule Lateral_1b. Codex adapted and switched to `bitsadmin.exe /transfer`

, targeting the same URL. Using legitimate Windows binaries to stage downloads, then pivoting to another when the first gets blocked, is textbook LOLBin attacker methodology. The source was clean. The method was not. Behavioral engines do not award points for clean sources.

**Cursor** needed to persist a file conversion helper across reboots. It wrote a VBScript file to `C:\Users\...\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`

via PowerShell. That triggered rule Persist_2a — one of the highest-signal persistence indicators in Windows detection. It is how malware survives reboots. The agent’s intent was perfectly mundane. The action was not.

## You Cannot Just Allowlist Them

The obvious response is to add claude.exe and cursor.exe to the allowlist and move on. Sophos argues this is wrong, and the argument is worth taking seriously. AI coding agents are increasingly exposed to untrusted content during normal operation — they read repositories, fetch documentation, parse files users hand them. A prompt-injection attack through a malicious repo or document can redirect agent behavior without any indication to the user. When that happens, the same credential access and LOLBin download that looked like a false positive becomes a genuine attack. The agent is still the origin process. The allowlist still passes it.

The timing makes this worse. [CrowdStrike’s 2026 threat report](https://thehackernews.com/2026/07/ai-coding-agents-found-triggering.html) found that 82% of 2025 detections involved malware-free attacks using valid credentials and trusted system tools — the same techniques AI agents happen to replicate. Defenders are already fighting signal-to-noise problems in exactly this category. AI agents turned that problem up.

## What Security Teams Should Do

Sophos recommends tuning rather than disabling. Key rules should be filtered by parent process — if claude.exe or cursor.exe is the origin, apply different handling than if the same action comes from an unknown process. Add workspace and temp path scoping so rules do not fire on known agent work directories. For credential access, hold firm: DPAPI decryption and credential store enumeration warrant continued blocks or heavy monitoring regardless of origin, because these are exactly the actions that matter if an agent has been compromised.

The other priority is building a behavioral baseline now. Sophos used this telemetry to define what normal agent behavior looks like in a given environment. Organizations with AI coding agents deployed should do the same before an incident forces the question.

## What Developers Should Do

Stop running `--dangerously-skip-permissions`

on corporate machines. That flag is a convenience feature; it is not designed for managed enterprise endpoints with active EDR. Check which GStack skills are active in your Claude Code setup — the /browse skill is the biggest driver of credential-access flags. Talk to your security team before deploying agents on managed endpoints, not after they start generating alerts. If your workflow genuinely requires agents to access credentials or download files, run them in containerized or sandboxed environments where host credential stores are not accessible.

The broader issue is that AI coding agents arrived faster than the security policies needed to govern them. [Sophos’s telemetry](https://cyberpress.org/endpoint-rules-claude-code-cursor-codex-lolbin/) is a snapshot of that gap. It will close — but the closing will be uncomfortable for teams that assumed “it is just a coding assistant” was a sufficient security posture.
