Description
Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in Phishing/Phishing for Information campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting Develop Capabilities. AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., Obfuscated Files or Information) malicious scripts and payloads.(Citation: OpenAI-CTI) Finally, AI-generated text, images, audio, and video may be used for fraud, Impersonation, and other malicious activities.(Citation: Google-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI24)
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has appeared to have used AI to generate images and content to facilitate their campaign... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has deployed [LAMEHUG](https://attack.mitre.org/software/S9035) which can can query an LLM to generate ... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9039 | LazyWiper | Malware | [LazyWiper](https://attack.mitre.org/software/S9039) is believed to have been generated by a large language model (LLM) due to the non-sensical commen... |
References
- Catherine Stupp. (2019, August 30). Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case. Retrieved March 18, 2025.
- Emily Astranova, Pascal Issa. (2024, July 23). Whose Voice Is It Anyway? AI-Powered Voice Spoofing for Next-Gen Vishing Attacks. Retrieved March 18, 2025.
- IC3. (2024, December 3). Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud. Retrieved March 18, 2025.
- Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.
- OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1588.007 (Artificial Intelligence)?
T1588.007 is a MITRE ATT&CK technique named 'Artificial Intelligence'. It belongs to the Resource Development tactic(s). Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster,...
How can T1588.007 be detected?
Detection of T1588.007 (Artificial Intelligence) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1588.007?
There are 1 documented mitigations for T1588.007. Key mitigations include: Pre-compromise.
Which threat groups use T1588.007?
Known threat groups using T1588.007 include: Contagious Interview, APT28.