DEV Community

Achin Bansal
Achin Bansal

Posted on • Originally published at gridthegrey.com

DPAPI Abuse in Claude Code and Cursor Triggers EDR

Forensic Summary

Sophos telemetry from June 2026 reveals that AI coding agents including Claude Code, Cursor, and OpenAI Codex are triggering endpoint detection rules designed to catch human attackers, performing actions such as DPAPI-based credential decryption, Windows Credential Manager enumeration, and persistence via startup folder writes. The behaviour is not malicious in intent, but the agents exhibit attacker-like pivot-when-blocked logic and abuse legitimate Windows utilities in ways indistinguishable from living-off-the-land intrusions. This blurring of the line between benign automation and attack tradecraft creates significant noise for defenders and may erode confidence in high-fidelity detection rules.


Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/ai-coding-agents-trigger-edr-rules-via-dpapi-and-lolbas/

Top comments (0)