Detect Artificial Intelligence in CrowdStrike LogScale
Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and developing payloads. By utilizing publicly available LLMs, adversaries effectively outsource or automate attack preparation tasks — drafting multilingual phishing content, accelerating vulnerability research, generating or refining malicious scripts, and producing AI-generated media (text, audio, images, video) for fraud and impersonation. Detection of this pre-compromise technique is challenging because AI tool access typically occurs on adversary-controlled infrastructure. Detectable signals pivot to: programmatic (non-browser) AI API access from corporate endpoints indicating possible insider threat or compromised workstation; large data uploads to AI services suggesting sensitive data exfiltration via prompt injection; and downstream behavioral indicators of AI-assisted tooling (unusually well-formed payloads, high-quality phishing lures, novel script obfuscation patterns).
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.007 Artificial Intelligence
- Canonical reference
- https://attack.mitre.org/techniques/T1588/007/
LogScale Detection Query
// T1588.007 - Programmatic AI API Access Detection
// Detect scripting runtimes and LOLBins connecting to AI service endpoints
#event_simpleName = DnsRequest
| DomainName = /(?i)(api\.openai\.com|api\.anthropic\.com|generativelanguage\.googleapis\.com|api\.cohere\.ai|api-inference\.huggingface\.co|api\.mistral\.ai|api\.together\.xyz|api\.groq\.com|api\.perplexity\.ai|api\.replicate\.com|api\.stability\.ai|api\.ai21\.com|inference\.azure\.com)/
| join(
{ #event_simpleName = ProcessRollup2
| FileName = /(?i)(python\.exe|python3\.exe|powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|curl\.exe|wget\.exe|node\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|wmic\.exe|msbuild\.exe)/
| eval ProcessCategory =
case(
FileName matches "(?i)(mshta|regsvr32|rundll32|wmic|msbuild)", "LOLBin",
FileName matches "(?i)(python|powershell|pwsh|wscript|cscript)", "ScriptRuntime",
FileName matches "(?i)(curl|wget)", "CLI_Transfer",
FileName matches "(?i)(node|cmd)", "Runtime",
true(), "Other"
)
| eval RiskWeight =
case(
ProcessCategory = "LOLBin", 3,
ProcessCategory = "ScriptRuntime", 2,
ProcessCategory = "CLI_Transfer", 1,
true(), 0
)
},
field=ContextProcessId,
include=[FileName, CommandLine, ParentBaseFileName, ProcessCategory, RiskWeight]
)
| groupBy([ComputerName, UserName, FileName, ProcessCategory, DomainName, ParentBaseFileName],
function=[
count(DomainName, as=TotalDNSQueries),
max(RiskWeight, as=MaxRiskWeight),
collect(CommandLine, limit=5, as=CommandLineSamples),
min(timestamp, as=FirstSeen),
max(timestamp, as=LastSeen)
]
)
| RiskWeight := MaxRiskWeight
| sort(MaxRiskWeight, order=desc)
| limit 500CrowdStrike LogScale (CQL) query that joins DnsRequest events for known AI API domains with ProcessRollup2 events to identify scripting runtimes, CLI tools, and LOLBins querying AI services. Aggregates by host, user, and process to produce risk-weighted results, prioritizing LOLBins and scripting runtimes making repeated AI API lookups.
Data Sources
Required Tables
False Positives & Tuning
- Approved developer tools that include AI API integrations (e.g., AI-assisted IDEs using Python language servers)
- Security automation that uses Falcon data combined with AI APIs for enrichment
- Endpoint management scripts that call AI APIs for configuration assistance
- Data science workloads on endpoints with Falcon installed that perform legitimate model inference
Other platforms for T1588.007
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Non-Browser AI API Access via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'api.openai.com' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection to api.openai.com:443 (resolved IP) initiated by powershell.exe. Proxy log entry showing GET request to api.openai.com with non-browser User-Agent (WindowsPowerShell). Security Event ID 4688 if command line auditing enabled.
- Test 2AI SDK Installation and API Connection via Python
Expected signal: Sysmon Event ID 11: File Create events for openai package files under %APPDATA%\Python\Python3X\site-packages\openai\. Sysmon Event ID 1: python.exe process with command line containing 'openai' and 'api_key'. Sysmon Event ID 3: Network connection from python.exe to api.openai.com:443. pip.exe process creation downloading from pypi.org.
- Test 3curl-Based AI API Simulation from Command Line
Expected signal: Sysmon Event ID 1: curl.exe process creation with CommandLine containing 'api.openai.com', '-X POST', and the prompt content visible in the -d argument. Sysmon Event ID 3: Network connection from curl.exe to api.openai.com:443. Security Event ID 4688 with full command line if command line auditing enabled. Proxy logs showing POST to api.openai.com/v1/chat/completions with content-length from curl user agent.
- Test 4AI API Environment Variable Key Storage Detection
Expected signal: Sysmon Event ID 1: powershell.exe process with CommandLine containing OPENAI_API_KEY environment variable assignment. Sysmon Event ID 3: Network connection to api.openai.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the full script including the API key value. Security Event ID 4688 with command line.
- Test 5Linux AI API Script Execution Simulation
Expected signal: Auditd SYSCALL execve records for curl process with argv containing api.openai.com. Syslog/auth.log process execution context. Network connection event in auditd SOCKADDR records showing TCP connection to api.openai.com:443. If network monitoring enabled (Zeek/Suricata): HTTP/S SNI field showing api.openai.com in TLS ClientHello.
References (9)
- https://attack.mitre.org/techniques/T1588/007/
- https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/
- https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/
- https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks
- https://www.ic3.gov/PSA/2024/PSA241203
- https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402
- https://go.recordedfuture.com/hubfs/reports/cta-2025-0212.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1588.007 including response playbook, investigation guide, and atomic red team tests.