Process Discovery - AI Security Technique

Record summary

A quick snapshot of what this page covers.

Tactics1Attacker goals connected to this method.

Mitigations0Defenses that may help against this attack.

AI risks0Research-backed risks connected to this topic.

Attack context

How this AI attack works in practice.

Adversaries may attempt to get information about processes running on a system. Once obtained, this information could be used to gain an understanding of common AI-related software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details.

Identifying the AI software stack can then lead an adversary to new targets and attack pathways. AI-related software may require application tokens to authenticate with backend services. This provides opportunities for Credential Access and Lateral Movement.

In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.

ATLAS ID: AML.T0089
ATT&CK external ID: T1057
Priority score: 30

Maturity: demonstrated

Discovery

Mitigations

Defenses that may help against this attack.

No connected defenses. No defense is connected to this attack in the current data.

Case studies

Examples from public reports and exercises.

AIKatz: Attacking LLM Desktop Applications

exercise

Date2025-01-01

Researchers at Lumia have demonstrated that it is possible to extract authentication tokens from the memory of LLM Desktop Applications. An attacker could then use those tokens to impersonate as the victim to the LLM backed, thereby gaining access to the victim’s conversations as well as the ability to interfere in future conversations. The attacker’s access would allow them the ability to directly inject prompts to change the LLM’s behavior, poison the LLM’s context to have persistent effects, manipulate the user’s conversation history to cover their tracks, and ultimately impact the confidentiality, integrity, and availability of the system. The researchers demonstrated this on Anthropic Claude, Microsoft M365 Copilot, and OpenAI ChatGPT.

Vendor Responses to Responsible Disclosure:

Anthropic (HackerOne) - Closed as informational since local attack.
Microsoft Security Response Center - Attack doesn’t bypass security boundaries for CVE.
OpenAI (BugCrowd) - Closed as informational and noted that it’s up to Microsoft to patch this behavior.

Related risks

Research-backed risks connected to this topic.

No related AI risks. No research risk is connected to this topic in the current data.

Related CVEs

Known software flaws linked to this context.

No related CVEs. No software flaw is connected to this attack in the current data.

Source

Where this page information comes from.

Original source

Original source links

Open the public records and source datasets used for this page.

Repositoryhttps://github.com/mitre-atlas/atlas-data ATLAS.yamlhttps://github.com/mitre-atlas/atlas-data/blob/main/dist/ATLAS.yaml Schemahttps://github.com/mitre-atlas/atlas-data/blob/main/dist/schemas/atlas_output_schema.json MITRE ATT&CK mappinghttps://attack.mitre.org/techniques/T1057/