Detect Artificial Intelligence in Google Chronicle
Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and developing payloads. By utilizing publicly available LLMs, adversaries effectively outsource or automate attack preparation tasks — drafting multilingual phishing content, accelerating vulnerability research, generating or refining malicious scripts, and producing AI-generated media (text, audio, images, video) for fraud and impersonation. Detection of this pre-compromise technique is challenging because AI tool access typically occurs on adversary-controlled infrastructure. Detectable signals pivot to: programmatic (non-browser) AI API access from corporate endpoints indicating possible insider threat or compromised workstation; large data uploads to AI services suggesting sensitive data exfiltration via prompt injection; and downstream behavioral indicators of AI-assisted tooling (unusually well-formed payloads, high-quality phishing lures, novel script obfuscation patterns).
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.007 Artificial Intelligence
- Canonical reference
- https://attack.mitre.org/techniques/T1588/007/
YARA-L Detection Query
rule t1588_007_ai_api_programmatic_access {
meta:
author = "Argus Detection Engineering"
description = "Detects programmatic non-browser access to known AI service APIs from suspicious initiating processes, indicating potential adversarial use of AI tools for attack preparation (T1588.007)"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1588.007"
severity = "MEDIUM"
priority = "MEDIUM"
events:
$network.metadata.event_type = "NETWORK_CONNECTION"
$network.principal.hostname != ""
$network.target.hostname = /(?i)(api\.openai\.com|api\.anthropic\.com|generativelanguage\.googleapis\.com|api\.cohere\.ai|api-inference\.huggingface\.co|api\.mistral\.ai|api\.together\.xyz|api\.groq\.com|api\.perplexity\.ai|api\.replicate\.com|api\.stability\.ai|api\.ai21\.com|inference\.azure\.com)/
$network.principal.process.file.full_path = /(?i)(python\.exe|python3\.exe|python3|powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|curl\.exe|wget\.exe|node\.exe|node|mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|msbuild\.exe)/
$network.target.port = 443
$network.principal.hostname = $hostname
$network.principal.user.userid = $user
$network.principal.process.file.full_path = $proc
$network.target.hostname = $ai_host
match:
$hostname, $user over 5m
outcome:
$risk_score = max(
if($proc = /(?i)(mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|msbuild\.exe)/, 80, 0) +
if($proc = /(?i)(python\.exe|python3\.exe|python3|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe)/, 60, 0) +
if($proc = /(?i)(curl\.exe|wget\.exe|curl|wget)/, 50, 0)
)
$ai_services_contacted = array_distinct($ai_host)
$initiating_process = array_distinct($proc)
condition:
$network
}YARA-L 2.0 rule for Google Chronicle that detects non-browser processes initiating network connections to known AI API service endpoints. Correlates UDM network events with process context, scoring LOLBins highest, scripting runtimes second, and CLI transfer tools third. Aggregates per host and user over a 5-minute window.
Data Sources
Required Tables
False Positives & Tuning
- Developers on developer-designated machines running AI-integrated tooling via Python or Node.js
- Security operations tooling that calls AI APIs for enrichment or summarization
- Approved automation pipelines with documented AI API integration
- IT support scripts that use AI for troubleshooting assistance
Other platforms for T1588.007
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Non-Browser AI API Access via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'api.openai.com' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection to api.openai.com:443 (resolved IP) initiated by powershell.exe. Proxy log entry showing GET request to api.openai.com with non-browser User-Agent (WindowsPowerShell). Security Event ID 4688 if command line auditing enabled.
- Test 2AI SDK Installation and API Connection via Python
Expected signal: Sysmon Event ID 11: File Create events for openai package files under %APPDATA%\Python\Python3X\site-packages\openai\. Sysmon Event ID 1: python.exe process with command line containing 'openai' and 'api_key'. Sysmon Event ID 3: Network connection from python.exe to api.openai.com:443. pip.exe process creation downloading from pypi.org.
- Test 3curl-Based AI API Simulation from Command Line
Expected signal: Sysmon Event ID 1: curl.exe process creation with CommandLine containing 'api.openai.com', '-X POST', and the prompt content visible in the -d argument. Sysmon Event ID 3: Network connection from curl.exe to api.openai.com:443. Security Event ID 4688 with full command line if command line auditing enabled. Proxy logs showing POST to api.openai.com/v1/chat/completions with content-length from curl user agent.
- Test 4AI API Environment Variable Key Storage Detection
Expected signal: Sysmon Event ID 1: powershell.exe process with CommandLine containing OPENAI_API_KEY environment variable assignment. Sysmon Event ID 3: Network connection to api.openai.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the full script including the API key value. Security Event ID 4688 with command line.
- Test 5Linux AI API Script Execution Simulation
Expected signal: Auditd SYSCALL execve records for curl process with argv containing api.openai.com. Syslog/auth.log process execution context. Network connection event in auditd SOCKADDR records showing TCP connection to api.openai.com:443. If network monitoring enabled (Zeek/Suricata): HTTP/S SNI field showing api.openai.com in TLS ClientHello.
References (9)
- https://attack.mitre.org/techniques/T1588/007/
- https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
- https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
- https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks
- https://www.ic3.gov/PSA/2024/PSA241203
- https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402
- https://go.recordedfuture.com/hubfs/reports/cta-2025-0212.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1588.007 including response playbook, investigation guide, and atomic red team tests.