Skip to content
AI Security Wire

Published

- 5 min read

By

AI Coding Agents Are Tripping Enterprise EDR Rules, Sophos Finds

img of AI Coding Agents Are Tripping Enterprise EDR Rules, Sophos Finds

Enterprise endpoint detection and response tools are doing exactly what they were designed to do. And that is becoming a problem.

Sophos X-Ops published telemetry analysis this week showing that AI coding agents, including Claude Code, Cursor, and OpenAI Codex, are routinely triggering behavioral detection rules built to identify human attackers operating on Windows endpoints. The research covers activity observed across Sophos customer deployments and documents specific technique overlaps between legitimate agent operations and established attacker tradecraft.

The finding puts security teams in an uncomfortable position. The rules working are the rules they want. But the signal they produce is increasingly buried under noise from tools their developers run every day.

The Credential Access Problem

Fifty-six point two percent of blocked activity in Sophos’s dataset fell under the credential access category. That is the dominant category by a wide margin, and the cause is specific: Windows DPAPI.

DPAPI, the Data Protection API, is how Windows protects locally stored secrets. Browser credential stores, saved Wi-Fi passwords, and application-level secrets are all encrypted at rest using keys tied to the user session. Accessing them requires calling CryptUnprotectData, a Windows API function.

This is also the technique used by virtually every credential stealer that Sophos tracks. Redline, Vidar, Lumma, and their successors all decrypt browser credential stores using the same DPAPI call sequence. The behavioral rule pattern is well-established: process spawns, accesses CryptUnprotectData, reads browser profile directories. That pattern is what gets flagged.

AI coding agents produce the same sequence when they need to access environment configuration. A coding agent trying to read tokens stored in the browser credential store, check git credentials, or load API keys from local storage goes through the same DPAPI pathway. From the EDR’s perspective, the call signature is identical to Redline.

The execution category accounted for 28.8% of blocked activity, largely driven by specific Windows-native utilities.

LOLBins From the Build Process

OpenAI Codex produced the most notable pattern in the execution category. Sophos telemetry recorded Codex invoking certutil followed by bitsadmin during code execution tasks.

Both of these tools are what defenders call LOLBins, legitimate Windows binaries that threat actors repurpose for malicious activity. Certutil can decode base64-encoded payloads. Bitsadmin can download files from arbitrary URLs using the Background Intelligent Transfer Service. Adversaries have chained these two tools together for years. They appear on threat actor technique lists in MITRE ATT&CK, in red team playbooks, and in the blocklists of most mature enterprise EDR deployments.

Codex was not using them maliciously. It was using them as part of build and dependency resolution tasks, the same way a developer running commands manually might reach for available Windows utilities rather than invoking a package manager. The technical result is the same system call sequence. The alert that fires is the same alert.

Why the Overlap Is Getting Worse

This friction between AI agent behavior and endpoint security rules was predictable, and it is getting worse as agents become more capable.

The core issue is that agent behavioral patterns were never considered when EDR detection logic was written. Rules targeting credential theft, lateral movement, and execution-chain abuse were designed around human adversary workflows. An attacker on a keyboard does things in a certain order, touches certain APIs, calls certain utilities. The rules encode that knowledge.

Agents are not adversaries, but they are powerful execution engines that interact with the system at a similar depth. They read files, spawn processes, access credential stores, download dependencies, and run scripts. In a security model built entirely around the assumption that deep system access is adversarial, agents look like attackers.

Sophos notes that the problem is asymmetric. The credential access patterns in particular are hard to resolve through rule tuning alone. DPAPI calls from a developer workstation are going to come from both the agent and, occasionally, from actual malware. The signal is not wrong. It is just producing false positives in a new context that existing models weren’t built to handle.

What Changes

Sophos recommends creating allow-list policies scoped to developer machines, targeting the specific binary paths of approved coding agent installations. The recommendation is not to disable credential access detection broadly. It is to create a tiered policy where known agent processes are logged rather than blocked, while the same rules remain active and blocking for process trees that don’t match approved agent profiles.

This is not a clean solution. It requires maintaining an accurate inventory of approved agent tooling, enforcing installation into known paths, and reviewing that inventory every time a new tool enters the development environment. That operational overhead is not trivial.

The longer-term implication is that endpoint security vendors are going to need to build explicit AI agent behavioral models. The binary of “attacker behaviour” versus “user behaviour” is no longer sufficient when the user is an automated agent capable of reproducing attacker-scale system interaction.

The Sophos research is a concrete, telemetry-backed version of an argument the security community has been making theoretically. Agents are producing adversary-like signals at scale. The detection models need to catch up.

References

Frequently Asked Questions

Why do AI coding agents trigger DPAPI-based EDR rules?
AI coding agents need to access environment configuration, including credentials stored in browsers or local credential managers. On Windows, browser credential stores are encrypted with the Data Protection API (DPAPI). When an agent calls CryptUnprotectData to read these stores, it produces exactly the same system call sequence as credential stealers like Redline and Vidar. EDR rules built to catch credential theft can't distinguish whether the DPAPI call originated from a malicious process or a legitimate coding agent running with user context.
What makes the LOLBin patterns from OpenAI Codex significant?
Certutil and bitsadmin are Windows-native utilities that have been abused for malicious file downloads for years. Codex was observed chaining certutil for certificate operations and bitsadmin for background transfer downloads during routine code execution tasks. Both utilities appear on virtually every enterprise application blocklist and EDR rule set targeting living-off-the-land techniques. The problem is that these tools are also legitimately used during build and test operations, creating alert noise that security teams have to manually triage.
How should organizations handle AI agent activity in EDR policy?
Sophos recommends creating dedicated allow-list policies for known AI coding agent binaries, scoped to developer workstations rather than applied broadly. The key controls are: restrict the agent binary paths to approved install locations, log but don't block DPAPI calls from verified agent processes, and exclude known agent process trees from rules that fire on certutil or bitsadmin invocations. The broader principle is that AI agent activity should be baselined and treated as a distinct process category rather than evaluated against rules built exclusively for human adversary behaviour.