Cybersecurity·4 min read

Claude, Cursor, and Codex Trigger Endpoint Security Rules Used to Catch Hackers

AI coding agents such as Claude Code, Cursor, and OpenAI Codex are increasingly appearing in enterprise environments, and new telemetry shows they are unintentionally triggering security detections ti

CS
CyberShield Team
2026-07-09
Share:
Claude, Cursor, and Codex Trigger Endpoint Security Rules Used to Catch Hackers

AI coding agents such as Claude Code, Cursor, and OpenAI Codex are increasingly appearing in enterprise environments, and new telemetry shows they are unintentionally triggering security detections tied to credential access and living-off-the-land binaries (LOLBins). Recent analysis from Sophos’ CIXA behavioral engine highlights how these tools blur the line between benign automation and activity typically […] The post Claude, Cursor, and Codex Trigger Endpoint Security Rules Used to Catch Hackers appeared first on Cyber Security News.

AI coding agents such as Claude Code, Cursor, and OpenAI Codex are increasingly appearing in enterprise environments, and new telemetry shows they are unintentionally triggering security detections tied to credential access and living-off-the-land binaries (LOLBins). Recent analysis from Sophos’ CIXA behavioral engine highlights how these tools blur the line between benign automation and activity typically associated with attackers. The findings are based on Windows endpoint telemetry collected over seven days in June 2026. Detection data show that rules mapped to MITRE ATT&CK tactics such as Credential Access and Execution generated the most alerts. While none of the observed activity was confirmed as malicious, much of it closely resembled known adversary techniques. A significant portion of detections came from credential access behaviors. One of the most frequently triggered rules, Creds_3b, detects processes that use the Windows Data Protection API (DPAPI) to decrypt browser-stored credentials. This behavior was repeatedly observed when AI agents performed browser automation tasks using tools such as the GStack skill pack. Blocking rule hits (by MITRE tactic) downstream of AI agents, measured by unique machine count (Source: Sophos) For example, the /browse capability launches a chain of processes that eventually invoke PowerShell to decode protected data. Claude Code, Cursor, and Codex Triggers In one observed command, PowerShell used .NET cryptographic functions to decode Base64 input and decrypt it using DPAPI under the current user context. Sophos researchers noted that although the activity is legitimate for browser automation, it uses a well-known infostealer technique, causing the detection rule to correctly flag it despite its benign purpose. Other credential-related alerts involved Python scripts spawned by AI agents. In some cases, agents terminated browser processes with taskkill before executing scripts that access stored credentials. Claude Code documentation warning about the –dangerously-skip-permissions flag (Source: Sophos) Additional commands included using Windows’ built-in cmdkey utility to enumerate saved credentials. Such behavior, especially when combined with flags like “–dangerously-skip-permissions,” would typically trigger immediate investigation in a security operations center. Beyond credential access, AI agents also triggered alerts related to command-line obfuscation and LOLBin abuse. One example involved OpenAI Codex attempting to download a Python installer from the official website using certutil.exe. When blocked, the agent pivoted to using bitsadmin.exe, another native Windows utility that attackers commonly abuse. This retry logic mirrors hands-on-keyboard adversary behavior, where multiple techniques are attempted until one succeeds. Claude terminating browser processes before spawning a Python script (decrypt_wp_pass.py) that accesses browser data (Source: Sophos) Persistence mechanisms were also observed. In one case, Cursor used a PowerShell script to write a VBScript file into the Windows startup folder, an action flagged by persistence detection rules. Although the intent appeared related to application setup, writing to startup locations outside trusted installers remains a high-risk behavior. The telemetry also included detections under a “Disrupt” category, representing Adaptive Attack Protection (AAP) events. These were triggered when AI agents attempted to execute low-reputation binaries. While these files were not confirmed to be malicious, their lack of a global reputation led to automated blocking. Overall, the data shows that AI agents are reshaping baseline activity on endpoints. Actions once considered strong indicators of compromise are now being performed by legitimate automation tools. However, the risk profile of these behaviors has not changed. Decrypting credentials, using LOLBins for downloads, and modifying persistence locations remain inherently sensitive actions. This shift presents a challenge for detection engineering teams. Security controls must evolve to distinguish between trusted AI-driven automation and genuine threats, without weakening protections. As AI agents become more autonomous, organizations will need clear policies defining what these tools are allowed to do, along with improved visibility into their actions. Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide The post Claude, Cursor, and Codex Trigger Endpoint Security Rules Used to Catch Hackers appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.