T1588.007 IBM QRadar · QRadar

Detect Artificial Intelligence in IBM QRadar

Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and developing payloads. By utilizing publicly available LLMs, adversaries effectively outsource or automate attack preparation tasks — drafting multilingual phishing content, accelerating vulnerability research, generating or refining malicious scripts, and producing AI-generated media (text, audio, images, video) for fraud and impersonation. Detection of this pre-compromise technique is challenging because AI tool access typically occurs on adversary-controlled infrastructure. Detectable signals pivot to: programmatic (non-browser) AI API access from corporate endpoints indicating possible insider threat or compromised workstation; large data uploads to AI services suggesting sensitive data exfiltration via prompt injection; and downstream behavioral indicators of AI-assisted tooling (unusually well-formed payloads, high-quality phishing lures, novel script obfuscation patterns).

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.007 Artificial Intelligence
Canonical reference
https://attack.mitre.org/techniques/T1588/007/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  destinationip,
  destinationport,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "URL" AS DestinationURL,
  "Application" AS InitiatingApplication,
  "Bytes Sent" AS BytesSent,
  CASE
    WHEN LOWER("Application") LIKE '%python%' THEN 'ScriptRuntime'
    WHEN LOWER("Application") LIKE '%powershell%' OR LOWER("Application") LIKE '%pwsh%' THEN 'ScriptRuntime'
    WHEN LOWER("Application") LIKE '%curl%' OR LOWER("Application") LIKE '%wget%' THEN 'CLI_Transfer'
    WHEN LOWER("Application") LIKE '%node%' THEN 'ScriptRuntime'
    WHEN LOWER("Application") LIKE '%mshta%' OR LOWER("Application") LIKE '%regsvr32%'
         OR LOWER("Application") LIKE '%rundll32%' THEN 'LOLBin'
    ELSE 'Other'
  END AS ProcessCategory
FROM events
WHERE starttime > NOW() - 86400000
  AND (
    LOWER("URL") LIKE '%api.openai.com%'
    OR LOWER("URL") LIKE '%api.anthropic.com%'
    OR LOWER("URL") LIKE '%generativelanguage.googleapis.com%'
    OR LOWER("URL") LIKE '%api.cohere.ai%'
    OR LOWER("URL") LIKE '%api-inference.huggingface.co%'
    OR LOWER("URL") LIKE '%api.mistral.ai%'
    OR LOWER("URL") LIKE '%api.together.xyz%'
    OR LOWER("URL") LIKE '%api.groq.com%'
    OR LOWER("URL") LIKE '%api.perplexity.ai%'
    OR LOWER("URL") LIKE '%api.replicate.com%'
    OR LOWER("URL") LIKE '%api.stability.ai%'
    OR LOWER("URL") LIKE '%api.ai21.com%'
    OR LOWER("URL") LIKE '%inference.azure.com%'
  )
  AND (
    LOWER("Application") LIKE '%python%'
    OR LOWER("Application") LIKE '%powershell%'
    OR LOWER("Application") LIKE '%pwsh%'
    OR LOWER("Application") LIKE '%curl%'
    OR LOWER("Application") LIKE '%wget%'
    OR LOWER("Application") LIKE '%node%'
    OR LOWER("Application") LIKE '%wscript%'
    OR LOWER("Application") LIKE '%cscript%'
    OR LOWER("Application") LIKE '%mshta%'
    OR LOWER("Application") LIKE '%regsvr32%'
    OR LOWER("Application") LIKE '%rundll32%'
    OR LOWER("Application") LIKE '%msbuild%'
  )
ORDER BY starttime DESC
LIMIT 1000
medium severity medium confidence

Detects non-browser processes making outbound HTTPS connections to known AI API service endpoints. Queries QRadar proxy and firewall log sources for scripting runtimes and LOLBins contacting AI API domains, enriching results with process categorization to surface the highest-risk initiators first.

Data Sources

QRadar Proxy Log SourceQRadar Firewall/IDS Log SourceBluecoat ProxySG DSMCisco WSA DSMPalo Alto Networks Firewall DSM

Required Tables

events

False Positives & Tuning

  • Developer workstations with AI-assisted coding tools (GitHub Copilot, Codeium) using Python-based extensions
  • Automated IT ops scripts calling AI APIs for log analysis or incident summarization
  • Security orchestration platforms (SOAR) that query AI for enrichment
  • Data pipelines running from servers that happen to share process name patterns
Download portable Sigma rule (.yml)

Other platforms for T1588.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Non-Browser AI API Access via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'api.openai.com' and 'Invoke-WebRequest'. Sysmon Event ID 3: Network Connection to api.openai.com:443 (resolved IP) initiated by powershell.exe. Proxy log entry showing GET request to api.openai.com with non-browser User-Agent (WindowsPowerShell). Security Event ID 4688 if command line auditing enabled.

  2. Test 2AI SDK Installation and API Connection via Python

    Expected signal: Sysmon Event ID 11: File Create events for openai package files under %APPDATA%\Python\Python3X\site-packages\openai\. Sysmon Event ID 1: python.exe process with command line containing 'openai' and 'api_key'. Sysmon Event ID 3: Network connection from python.exe to api.openai.com:443. pip.exe process creation downloading from pypi.org.

  3. Test 3curl-Based AI API Simulation from Command Line

    Expected signal: Sysmon Event ID 1: curl.exe process creation with CommandLine containing 'api.openai.com', '-X POST', and the prompt content visible in the -d argument. Sysmon Event ID 3: Network connection from curl.exe to api.openai.com:443. Security Event ID 4688 with full command line if command line auditing enabled. Proxy logs showing POST to api.openai.com/v1/chat/completions with content-length from curl user agent.

  4. Test 4AI API Environment Variable Key Storage Detection

    Expected signal: Sysmon Event ID 1: powershell.exe process with CommandLine containing OPENAI_API_KEY environment variable assignment. Sysmon Event ID 3: Network connection to api.openai.com:443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the full script including the API key value. Security Event ID 4688 with command line.

  5. Test 5Linux AI API Script Execution Simulation

    Expected signal: Auditd SYSCALL execve records for curl process with argv containing api.openai.com. Syslog/auth.log process execution context. Network connection event in auditd SOCKADDR records showing TCP connection to api.openai.com:443. If network monitoring enabled (Zeek/Suricata): HTTP/S SNI field showing api.openai.com in TLS ClientHello.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1588.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.006Vulnerabilities

Related Techniques

T1588Obtain CapabilitiesT1566PhishingT1598Phishing for InformationT1587Develop CapabilitiesT1027Obfuscated Files or InformationT1656ImpersonationT1589Gather Victim Identity InformationT1591Gather Victim Org InformationT1583Acquire Infrastructure

Same Tactic: Resource Development

Popular Detections