InnoCTF
agentic Detection explainer

When AI coding agents look like attackers: reading behavioral EDR telemetry

Abstract diagram of an AI coding agent's actions firing endpoint detection rules built for intruders
Benign automation firing rules written for hands-on-keyboard intrusion. Lab telemetry.

Sophos reviewed a week of its own endpoint telemetry and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex were setting off detection rules written to catch human intruders. The agents were not malicious. They simply performed a lot of actions that, to a behavioral engine, are indistinguishable from an attack in progress.

Why a behavioral engine cannot tell the difference

Endpoint detection and response does not decide intent. It scores behavior. A rule fires when a sequence of observable actions matches a pattern that historically correlated with intrusion: a process decrypting stored browser passwords, a script writing itself into the startup folder, a system utility pulling a file down from the internet. These signals were chosen because human operators reliably produce them during hands-on-keyboard work. An AI coding agent, asked to set up a project or debug an environment, produces the same primitives for entirely ordinary reasons. The behavior overlaps; the intent does not. The engine only sees the behavior.

The rule was never wrong about the action. It was wrong about who was taking it, because that is the one thing behavioral telemetry cannot see. the false-positive problem restated

The behaviors that fire, mapped to tradecraft

Three categories in the Sophos data map cleanly onto techniques defenders already track. Each is a legitimate developer action and a well-worn adversary move at the same time.

Credential access

A rule keyed on the Windows Data Protection API generated a large share of the alerts. Agents called DPAPI functions to decrypt browser-stored credentials, which is exactly what an infostealer does after landing on a host. The system cannot tell a config-reading agent from a credential thief, because both ask the operating system the same question: unwrap this protected secret for me.

Living off the land

Codex tried to fetch a Python installer using certutil, a signed Windows utility. That call was blocked, so it fell back to bitsadmin. Both are living-off-the-land binaries, or LOLBins: trusted system tools that attackers abuse precisely because they are already present and rarely flagged. An agent reaching for them to download a dependency looks identical to a dropper staging a payload.

Persistence

Cursor tripped a persistence rule by using PowerShell to write a script into the startup folder so a task would run on every boot. Startup-folder persistence is one of the oldest entries in the attacker playbook. The mechanism is the same whether the goal is a convenience hook or a foothold that survives reboot.

Why this matters beyond noise

The immediate cost is alert fatigue. A behavioral rule that fires dozens of times a day on developer machines trains analysts to dismiss it, and a dismissed rule is a blind spot the day a real intruder produces the same signal. The second-order risk is subtler and already documented in adjacent research: an attacker who can drive an approved agent inherits its reputation. If claude.exe or cursor.exe becomes a trusted parent process that the pipeline learns to ignore, that trust is a surface. This is the same trust-boundary failure we traced when a local service trusted any caller on loopback, and the same confused-deputy shape as MCP tool poisoning, where a component with legitimate privileges is steered into misusing them.

How to tune it without going blind

The fix is not to silence the rule. It is to split it by what it is actually trying to catch, so agent noise can be scoped out while the underlying tradecraft stays covered. Useful axes to key on:

Reproducing it in a lab

You can study this safely on an isolated host running your own EDR or a rule engine you control. Point a coding agent at an ordinary setup task, such as bootstrapping a project that downloads a dependency and adds a launch hook, then read the telemetry. The tell is a cluster of high-signal detections whose parent process is the agent and whose targets are benign. Then tighten the rules along the axes above and confirm the developer flow goes quiet while a hand-run infostealer sequence still fires.

scope_rule.py
# split a credential-access rule so agent lineage is scoped, not silenced
AGENT_BINARIES = {"claude.exe", "cursor.exe", "codex.exe"}

def classify(event):
    # event: {name, parent_chain, target_path, dest_reputation}
    is_agent = any(p in AGENT_BINARIES for p in event.parent_chain)
    in_workspace = event.target_path.startswith(("C:\\dev\\", event.workspace))
    if event.name == "dpapi_decrypt":
        # agent + workspace = low, still logged; anything else = alert
        return "review" if (is_agent and in_workspace) else "alert"
    return "alert"

# never do this: a blanket allow hands attackers a process to wear
# if is_agent: return "allow"   # <-- do not

The transferable habit is the one we keep coming back to: an observable action is not the same as an intent, and any signal a defender learns to ignore is a signal an attacker will learn to produce. Start from the InnoCTF writeups index or read more about this project if you are building detection labs.

Disclosure: This article was researched and drafted with AI assistance and edited by the InnoCTF Editorial Team. It explains documented behavior for education and authorized testing only; it does not target any live system.

Sources

  1. The Hacker News. "AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers." Read the report
  2. Sophos. "When AI agents look like attackers: what behavioral telemetry tells us." Read the analysis
  3. MITRE ATT&CK. "Ingress Tool Transfer (T1105) and Boot or Logon Autostart Execution (T1547)." Read the technique reference