- Tactics
- Discovery
- Maturity
- demonstrated
- Reference
- atlas.mitre.org/techniques/AML.T0089
Description
Adversaries may attempt to get information about processes running on a system. Once obtained, this information could be used to gain an understanding of common AI-related software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details.
Identifying the AI software stack can then lead an adversary to new targets and attack pathways. AI-related software may require application tokens to authenticate with backend services. This provides opportunities for Credential Access and Lateral Movement.
In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.
How GTK Cyber trains on this
GTK Cyber's hands-on AI security courses cover adversarial-AI techniques across the MITRE ATLAS framework, including the Discovery tactic this technique falls under. Our practitioner-led training is taught by Charles Givre and other field-tested SMEs and focuses on real adversarial scenarios, not slide decks.
Related techniques
- AML.T0007 — Discover AI Artifacts
- AML.T0013 — Discover AI Model Ontology
- AML.T0014 — Discover AI Model Family
- AML.T0062 — Discover LLM Hallucinations
- AML.T0063 — Discover AI Model Outputs
- AML.T0069 — Discover LLM System Information
- AML.T0075 — Cloud Service Discovery
- AML.T0084 — Discover AI Agent Configuration