T1588.007

Artificial Intelligence

Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and developing payloads. By utilizing publicly available LLMs, adversaries effectively outsource or automate attack preparation tasks — drafting multilingual phishing content, accelerating vulnerability research, generating or refining malicious scripts, and producing AI-generated media (text, audio, images, video) for fraud and impersonation. Detection of this pre-compromise technique is challenging because AI tool access typically occurs on adversary-controlled infrastructure. Detectable signals pivot to: programmatic (non-browser) AI API access from corporate endpoints indicating possible insider threat or compromised workstation; large data uploads to AI services suggesting sensitive data exfiltration via prompt injection; and downstream behavioral indicators of AI-assisted tooling (unusually well-formed payloads, high-quality phishing lures, novel script obfuscation patterns).

Microsoft Sentinel / Defender

kusto

let AIServiceDomains = dynamic([
    "api.openai.com",
    "api.anthropic.com",
    "generativelanguage.googleapis.com",
    "api.cohere.ai",
    "api-inference.huggingface.co",
    "api.mistral.ai",
    "api.together.xyz",
    "api.groq.com",
    "api.perplexity.ai",
    "api.replicate.com",
    "api.ai21.com",
    "api.stability.ai",
    "inference.azure.com"
]);
let SuspiciousInitiators = dynamic([
    "python.exe", "python3.exe", "python3",
    "powershell.exe", "pwsh.exe",
    "cmd.exe", "wscript.exe", "cscript.exe",
    "curl.exe", "wget.exe",
    "node.exe", "node",
    "mshta.exe", "regsvr32.exe", "rundll32.exe",
    "wmic.exe", "msbuild.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (AIServiceDomains)
      or RemoteIP !startswith "10." and RemoteIP !startswith "172." and RemoteIP !startswith "192.168."
         and (RemoteUrl contains "openai" or RemoteUrl contains "anthropic" or RemoteUrl contains "huggingface"
              or RemoteUrl contains "mistral" or RemoteUrl contains "cohere" or RemoteUrl contains "groq"
              or RemoteUrl contains "perplexity" or RemoteUrl contains "replicate")
| where InitiatingProcessFileName has_any (SuspiciousInitiators)
| extend IsScriptProcess = InitiatingProcessFileName has_any ("python.exe", "python3.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| extend IsLOLBin = InitiatingProcessFileName has_any ("mshta.exe", "regsvr32.exe", "rundll32.exe", "wmic.exe", "msbuild.exe")
| extend IsCurlWget = InitiatingProcessFileName has_any ("curl.exe", "wget.exe")
| extend SuspicionScore = toint(IsScriptProcess) + toint(IsLOLBin) * 2 + toint(IsCurlWget)
| project Timestamp, DeviceName, AccountName,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName,
          RemoteUrl, RemoteIP, RemotePort,
          IsScriptProcess, IsLOLBin, IsCurlWget, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint Process: Process Creation

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Software developers and data scientists running Python/Node.js scripts that legitimately call AI APIs for authorized product features or research
Corporate AI chatbot integrations (Teams bots, helpdesk automation, CI/CD pipelines) that make programmatic API calls from internal servers
Security tooling using AI APIs for threat intelligence enrichment or automated triage
IT automation scripts (PowerShell DSC, Ansible-driven scripts) that invoke AI APIs for summarization or classification tasks
Developer workstations running local AI model inference tools (Ollama, LM Studio) that proxy to cloud APIs for model pulling

Splunk

spl

index=proxy OR index=network sourcetype=proxy OR sourcetype="stream:http" OR sourcetype="cisco:wsa:squid"
    (dest_host="api.openai.com" OR dest_host="api.anthropic.com"
     OR dest_host="generativelanguage.googleapis.com"
     OR dest_host="api.cohere.ai" OR dest_host="api-inference.huggingface.co"
     OR dest_host="api.mistral.ai" OR dest_host="api.together.xyz"
     OR dest_host="api.groq.com" OR dest_host="api.perplexity.ai"
     OR dest_host="api.replicate.com" OR dest_host="api.stability.ai"
     OR dest_host="inference.azure.com")
| eval UserAgent=lower(coalesce(http_user_agent, cs_user_agent, "unknown"))
| eval IsBrowser=if(match(UserAgent, "(chrome/|firefox/|safari/|msie|trident/|edg/|opera/)"), 1, 0)
| where IsBrowser=0
| eval BytesUploaded=tonumber(coalesce(bytes_out, cs_bytes, "0"))
| eval IsAPIEndpoint=if(match(coalesce(uri_path, cs_uri_stem, ""), "^/(v1|v2|api|generate|chat|completions|embeddings|images|audio|models)"), 1, 0)
| eval Method=upper(coalesce(http_method, cs_method, "UNKNOWN"))
| eval IsPostRequest=if(Method="POST", 1, 0)
| eval LargePayload=if(BytesUploaded > 50000, 1, 0)
| eval SuspicionScore=IsAPIEndpoint + IsPostRequest + LargePayload
| stats count as Requests,
        sum(BytesUploaded) as TotalBytesUploaded,
        dc(src_ip) as UniqueSourceIPs,
        values(dest_host) as AIServices,
        values(uri_path) as EndpointPaths,
        values(UserAgent) as UserAgents,
        max(SuspicionScore) as MaxSuspicionScore
        by src_ip, user
| where Requests > 0 AND MaxSuspicionScore >= 1
| sort - TotalBytesUploaded

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Application Log: Application Log Content Web Proxy Logs

Required Sourcetypes

proxy stream:http cisco:wsa:squid

False Positives

Developer or data science workflows using Python clients (openai SDK, anthropic SDK) for legitimate product development
Automated CI/CD test pipelines validating AI feature integrations with production API keys
Corporate-approved AI tools making backend API calls (Microsoft Copilot for M365, GitHub Copilot, JetBrains AI Assistant)
Security operations tooling that uses AI APIs for log summarization, alert triage, or threat intelligence enrichment
Chatbot or virtual assistant infrastructure running on internal servers that proxies employee queries to public AI APIs

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=5m
  [network where event.type == "connection" and
   (
     dns.question.name in ("api.openai.com", "api.anthropic.com", "generativelanguage.googleapis.com",
                           "api.cohere.ai", "api-inference.huggingface.co", "api.mistral.ai",
                           "api.together.xyz", "api.groq.com", "api.perplexity.ai",
                           "api.replicate.com", "api.stability.ai", "api.ai21.com")
     or network.destination.domain in ("api.openai.com", "api.anthropic.com",
                                       "generativelanguage.googleapis.com",
                                       "api.cohere.ai", "api-inference.huggingface.co",
                                       "api.mistral.ai", "api.together.xyz", "api.groq.com",
                                       "api.perplexity.ai", "api.replicate.com",
                                       "api.stability.ai", "api.ai21.com")
   ) and
   process.name in ("python.exe", "python3.exe", "python3", "python",
                    "powershell.exe", "pwsh.exe",
                    "cmd.exe", "wscript.exe", "cscript.exe",
                    "curl.exe", "curl", "wget.exe", "wget",
                    "node.exe", "node",
                    "mshta.exe", "regsvr32.exe", "rundll32.exe",
                    "wmic.exe", "msbuild.exe")]
  [network where event.type == "connection" and
   network.direction == "egress" and
   destination.port == 443]

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Network Packet Capture Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* packetbeat-*

False Positives

Developers running LLM-integrated tools (Copilot CLI, local AI scripts) from workstations
IT automation scripts that query AI APIs for legitimate operational purposes (e.g., log summarization pipelines)
Security tools that use AI APIs for threat intelligence enrichment
Data science teams running Jupyter notebooks with API-integrated models

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  destinationip,
  destinationport,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "URL" AS DestinationURL,
  "Application" AS InitiatingApplication,
  "Bytes Sent" AS BytesSent,
  CASE
    WHEN LOWER("Application") LIKE '%python%' THEN 'ScriptRuntime'
    WHEN LOWER("Application") LIKE '%powershell%' OR LOWER("Application") LIKE '%pwsh%' THEN 'ScriptRuntime'
    WHEN LOWER("Application") LIKE '%curl%' OR LOWER("Application") LIKE '%wget%' THEN 'CLI_Transfer'
    WHEN LOWER("Application") LIKE '%node%' THEN 'ScriptRuntime'
    WHEN LOWER("Application") LIKE '%mshta%' OR LOWER("Application") LIKE '%regsvr32%'
         OR LOWER("Application") LIKE '%rundll32%' THEN 'LOLBin'
    ELSE 'Other'
  END AS ProcessCategory
FROM events
WHERE starttime > NOW() - 86400000
  AND (
    LOWER("URL") LIKE '%api.openai.com%'
    OR LOWER("URL") LIKE '%api.anthropic.com%'
    OR LOWER("URL") LIKE '%generativelanguage.googleapis.com%'
    OR LOWER("URL") LIKE '%api.cohere.ai%'
    OR LOWER("URL") LIKE '%api-inference.huggingface.co%'
    OR LOWER("URL") LIKE '%api.mistral.ai%'
    OR LOWER("URL") LIKE '%api.together.xyz%'
    OR LOWER("URL") LIKE '%api.groq.com%'
    OR LOWER("URL") LIKE '%api.perplexity.ai%'
    OR LOWER("URL") LIKE '%api.replicate.com%'
    OR LOWER("URL") LIKE '%api.stability.ai%'
    OR LOWER("URL") LIKE '%api.ai21.com%'
    OR LOWER("URL") LIKE '%inference.azure.com%'
  )
  AND (
    LOWER("Application") LIKE '%python%'
    OR LOWER("Application") LIKE '%powershell%'
    OR LOWER("Application") LIKE '%pwsh%'
    OR LOWER("Application") LIKE '%curl%'
    OR LOWER("Application") LIKE '%wget%'
    OR LOWER("Application") LIKE '%node%'
    OR LOWER("Application") LIKE '%wscript%'
    OR LOWER("Application") LIKE '%cscript%'
    OR LOWER("Application") LIKE '%mshta%'
    OR LOWER("Application") LIKE '%regsvr32%'
    OR LOWER("Application") LIKE '%rundll32%'
    OR LOWER("Application") LIKE '%msbuild%'
  )
ORDER BY starttime DESC
LIMIT 1000

medium severity medium confidence

Data Sources

QRadar Proxy Log Source QRadar Firewall/IDS Log Source Bluecoat ProxySG DSM Cisco WSA DSM Palo Alto Networks Firewall DSM

Required Tables

events

False Positives

Developer workstations with AI-assisted coding tools (GitHub Copilot, Codeium) using Python-based extensions
Automated IT ops scripts calling AI APIs for log analysis or incident summarization
Security orchestration platforms (SOAR) that query AI for enrichment
Data pipelines running from servers that happen to share process name patterns

Sumo Logic CSE

sql

(_sourceCategory=proxy OR _sourceCategory=network/proxy OR _sourceCategory=bluecoat OR _sourceCategory=squid)
| where dest_host matches "api.openai.com" or dest_host matches "api.anthropic.com"
  or dest_host matches "generativelanguage.googleapis.com"
  or dest_host matches "api.cohere.ai" or dest_host matches "api-inference.huggingface.co"
  or dest_host matches "api.mistral.ai" or dest_host matches "api.together.xyz"
  or dest_host matches "api.groq.com" or dest_host matches "api.perplexity.ai"
  or dest_host matches "api.replicate.com" or dest_host matches "api.stability.ai"
  or dest_host matches "api.ai21.com" or dest_host matches "inference.azure.com"
| parse field=http_user_agent "*" as raw_ua nodrop
| parse field=cs_user_agent "*" as raw_ua2 nodrop
| if (isEmpty(raw_ua), raw_ua2, raw_ua) as user_agent
| toLowerCase(user_agent) as ua_lower
| if (ua_lower matches "*(chrome/|firefox/|safari/|edg/|msie|trident/|opera/)*/i", 1, 0) as is_browser
| where is_browser = 0
| parse field=uri_path "*" as endpoint nodrop
| parse field=cs_uri_stem "*" as endpoint2 nodrop
| if (isEmpty(endpoint), endpoint2, endpoint) as api_path
| if (api_path matches "*/(v1|v2|api|chat|completions|embeddings|images|audio|generate|models)*", 1, 0) as is_api_endpoint
| num(coalesce(bytes_out, cs_bytes, "0")) as bytes_uploaded
| if (bytes_uploaded > 50000, 1, 0) as large_payload
| toUpperCase(coalesce(http_method, cs_method, "UNKNOWN")) as http_method
| if (http_method = "POST", 1, 0) as is_post
| is_api_endpoint + is_post + large_payload as suspicion_score
| where suspicion_score >= 1
| stats count as requests,
        sum(bytes_uploaded) as total_bytes_uploaded,
        min(_messageTime) as first_seen,
        max(_messageTime) as last_seen,
        values(dest_host) as ai_services,
        values(api_path) as endpoint_paths,
        values(user_agent) as user_agents,
        max(suspicion_score) as max_suspicion_score
        by src_ip, user
| sort by total_bytes_uploaded desc

medium severity medium confidence

Data Sources

Sumo Logic HTTP Source (Proxy Logs) Bluecoat ProxySG Squid Proxy Cisco WSA Zscaler Web Gateway

Required Tables

_sourceCategory=proxy _sourceCategory=network/proxy

False Positives

CI/CD pipelines using AI APIs for automated code review or documentation generation
Internal chatbot or copilot tools that proxy employee requests to AI APIs
Security tooling that performs LLM-based alert triage
Developer laptops running AI-integrated IDEs where the user agent is a custom plugin rather than a browser

Google Chronicle / SecOps

yaral

rule t1588_007_ai_api_programmatic_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects programmatic non-browser access to known AI service APIs from suspicious initiating processes, indicating potential adversarial use of AI tools for attack preparation (T1588.007)"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.007"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $network.metadata.event_type = "NETWORK_CONNECTION"
    $network.principal.hostname != ""
    $network.target.hostname = /(?i)(api\.openai\.com|api\.anthropic\.com|generativelanguage\.googleapis\.com|api\.cohere\.ai|api-inference\.huggingface\.co|api\.mistral\.ai|api\.together\.xyz|api\.groq\.com|api\.perplexity\.ai|api\.replicate\.com|api\.stability\.ai|api\.ai21\.com|inference\.azure\.com)/
    $network.principal.process.file.full_path = /(?i)(python\.exe|python3\.exe|python3|powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|curl\.exe|wget\.exe|node\.exe|node|mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|msbuild\.exe)/
    $network.target.port = 443

    $network.principal.hostname = $hostname
    $network.principal.user.userid = $user
    $network.principal.process.file.full_path = $proc
    $network.target.hostname = $ai_host

  match:
    $hostname, $user over 5m

  outcome:
    $risk_score = max(
      if($proc = /(?i)(mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|msbuild\.exe)/, 80, 0) +
      if($proc = /(?i)(python\.exe|python3\.exe|python3|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)/, 60, 0) +
      if($proc = /(?i)(curl\.exe|wget\.exe|curl|wget)/, 50, 0)
    )
    $ai_services_contacted = array_distinct($ai_host)
    $initiating_process = array_distinct($proc)

  condition:
    $network
}

medium severity medium confidence

Data Sources

Google Chronicle UDM Chronicle Forwarder (Windows Endpoint) Chronicle Forwarder (Proxy/Web Gateway) VirusTotal Enterprise (enrichment)

Required Tables

udm_events (NETWORK_CONNECTION) udm_events (PROCESS_LAUNCH)

False Positives

Developers on developer-designated machines running AI-integrated tooling via Python or Node.js
Security operations tooling that calls AI APIs for enrichment or summarization
Approved automation pipelines with documented AI API integration
IT support scripts that use AI for troubleshooting assistance

CrowdStrike LogScale (CQL)

cql

// T1588.007 - Programmatic AI API Access Detection
// Detect scripting runtimes and LOLBins connecting to AI service endpoints

#event_simpleName = DnsRequest
| DomainName = /(?i)(api\.openai\.com|api\.anthropic\.com|generativelanguage\.googleapis\.com|api\.cohere\.ai|api-inference\.huggingface\.co|api\.mistral\.ai|api\.together\.xyz|api\.groq\.com|api\.perplexity\.ai|api\.replicate\.com|api\.stability\.ai|api\.ai21\.com|inference\.azure\.com)/
| join(
    { #event_simpleName = ProcessRollup2
      | FileName = /(?i)(python\.exe|python3\.exe|powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|curl\.exe|wget\.exe|node\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|msbuild\.exe)/
      | eval ProcessCategory =
          case(
            FileName matches "(?i)(mshta|regsvr32|rundll32|wmic|msbuild)", "LOLBin",
            FileName matches "(?i)(python|powershell|pwsh|wscript|cscript)", "ScriptRuntime",
            FileName matches "(?i)(curl|wget)", "CLI_Transfer",
            FileName matches "(?i)(node|cmd)", "Runtime",
            true(), "Other"
          )
      | eval RiskWeight =
          case(
            ProcessCategory = "LOLBin", 3,
            ProcessCategory = "ScriptRuntime", 2,
            ProcessCategory = "CLI_Transfer", 1,
            true(), 0
          )
    },
    field=ContextProcessId,
    include=[FileName, CommandLine, ParentBaseFileName, ProcessCategory, RiskWeight]
)
| groupBy([ComputerName, UserName, FileName, ProcessCategory, DomainName, ParentBaseFileName],
    function=[
      count(DomainName, as=TotalDNSQueries),
      max(RiskWeight, as=MaxRiskWeight),
      collect(CommandLine, limit=5, as=CommandLineSamples),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ]
)
| RiskWeight := MaxRiskWeight
| sort(MaxRiskWeight, order=desc)
| limit 500

medium severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (DNS) CrowdStrike Falcon Sensor (Process) CrowdStrike Falcon Sensor (Network)

Required Tables

DnsRequest ProcessRollup2 NetworkConnectIP4

False Positives

Approved developer tools that include AI API integrations (e.g., AI-assisted IDEs using Python language servers)
Security automation that uses Falcon data combined with AI APIs for enrichment
Endpoint management scripts that call AI APIs for configuration assistance
Data science workloads on endpoints with Falcon installed that perform legitimate model inference

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1588.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001Malware T1588.002Tool T1588.003Code Signing Certificates T1588.004Digital Certificates T1588.005Exploits T1588.006Vulnerabilities

Artificial Intelligence

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections