title: Artificial Intelligence (T1588.007)
id: df00tech-t1588-007
status: experimental
description: "Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and developing payloads. By utilizing publicly available LLMs, adversaries effectively outsource or automate attack preparation tasks — drafting multilingual phishing content, accelerating vulnerability research, generating or refining malicious scripts, and producing AI-generated media (text, audio, images, video) for fraud and impersonation. Detection of this pre-compromise technique is challenging because AI tool access typically occurs on adversary-controlled infrastructure. Detectable signals pivot to: programmatic (non-browser) AI API access from corporate endpoints indicating possible insider threat or compromised workstation; large data uploads to AI services suggesting sensitive data exfiltration via prompt injection; and downstream behavioral indicators of AI-assisted tooling (unusually well-formed payloads, high-quality phishing lures, novel script obfuscation patterns)."
references:
  - https://attack.mitre.org/techniques/T1588/007/
  - https://df00tech.com/detections/T1588.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1588.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software developers and data scientists running Python/Node.js scripts that legitimately call AI APIs for authorized product features or research
  - "Corporate AI chatbot integrations (Teams bots, helpdesk automation, CI/CD pipelines) that make programmatic API calls from internal servers"
  - Security tooling using AI APIs for threat intelligence enrichment or automated triage
  - "IT automation scripts (PowerShell DSC, Ansible-driven scripts) that invoke AI APIs for summarization or classification tasks"
  - "Developer workstations running local AI model inference tools (Ollama, LM Studio) that proxy to cloud APIs for model pulling"
level: medium