TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Reflecting on AI in 2025: Faster Attacks, Same Old Tradecraft

2026-01-12 · Read original ↗

ATT&CK techniques detected

11 predictions
T1059.001PowerShell
99%
“or execute attacks independently. adversaries are using them as productivity aids to draft scripts, assemble commands, and summarise known techniques, not as autonomous offensive platforms or sources of fundamentally new exploitation methods, at scale. ai is therefore being used …”
T1059.001PowerShell
98%
“and unusual structure. ai - verification tooling flagged it as machine - produced ( the irony is not lost on us ). on further examination, the script failed to execute, and defenders extinguished the activity. basic security hygiene and telemetry remained the most effective contr…”
T1176.001Browser Extensions
95%
“comprehensive comments, and organized formatting strongly suggest ai - assisted development. the extension masquerades as a telegram - related tool with the title “ telegram agent + cookies ”, leveraging the legitimate app ' s reputation to avoid suspicion. the pop - up ui provid…”
T1059.001PowerShell
81%
“, and still trip the same detections if the defenders ’ security posture is adequate in its foundations. case study 1 : ai - generated credential dumper an intruder gained initial access via brute forcing rdp. once in the network, they pivoted to credential access and executed a …”
T1176Software Extensions
71%
“comprehensive comments, and organized formatting strongly suggest ai - assisted development. the extension masquerades as a telegram - related tool with the title “ telegram agent + cookies ”, leveraging the legitimate app ' s reputation to avoid suspicion. the pop - up ui provid…”
T1078Valid Accounts
70%
“, and still trip the same detections if the defenders ’ security posture is adequate in its foundations. case study 1 : ai - generated credential dumper an intruder gained initial access via brute forcing rdp. once in the network, they pivoted to credential access and executed a …”
T1555.003Credentials from Web Browsers
62%
“. however, this wasn ' t the actor ' s first attempt. the actor had previously deployed “ qb _ check. ps1 ” on other hosts, targeting quickbooks credentials, but the script claimed it would exfiltrate to telegram while containing no telegram functionality at all. a day later, “ c…”
T1176.001Browser Extensions
62%
“. however, this wasn ' t the actor ' s first attempt. the actor had previously deployed “ qb _ check. ps1 ” on other hosts, targeting quickbooks credentials, but the script claimed it would exfiltrate to telegram while containing no telegram functionality at all. a day later, “ c…”
T1078Valid Accounts
41%
“should quell some fears around the ai apocalypse some commentators have foretold, but it should also disquiet organizations that have yet to achieve a foundational security posture. as is the case with many things in cybersecurity, achieving the security basics consistently sets …”
T1204.004Malicious Copy and Paste
34%
“and unusual structure. ai - verification tooling flagged it as machine - produced ( the irony is not lost on us ). on further examination, the script failed to execute, and defenders extinguished the activity. basic security hygiene and telemetry remained the most effective contr…”
T1195.001Compromise Software Dependencies and Development Tools
33%
“exfiltrate folder contents. several characteristics point to ai - generated code. the source contains verbose section headers with clearly delineated code blocks using ascii separators like “ / / = = = = = = = = = = = = = = = = = = = = = ”. every function is thoroughly commented …”

Summary

Huntress outlines 2025 AI attack speed with automated scripts, but adversaries use familiar tradecraft. Detection and hygiene remain decisive.