101 indexed
ATLASATLAS adversarial ML techniques
101 MITRE ATLAS top-level techniques covering the adversarial-ML attack surface, grouped by tactic. Authored by Adam Lundqvist.
101 across 16 categories
Resource Development13
| ID | Title | Summary |
|---|---|---|
| AML.T0002 | Acquire Public AI Artifacts | Adversaries may search public sources, including cloud storage, public-facing services, and software or data repositories, to identify AI artifacts. These AI a… |
| AML.T0008 | Acquire Infrastructure | Adversaries may buy, lease, or rent infrastructure for use throughout their operation. A wide variety of infrastructure exists for hosting and orchestrating ad… |
| AML.T0016 | Obtain Capabilities | Adversaries may search for and obtain software capabilities for use in their operations. Capabilities may be specific to AI-based attacks [Adversarial AI Attac… |
| AML.T0017 | Develop Capabilities | Adversaries may develop their own capabilities to support operations. This process encompasses identifying requirements, building solutions, and deploying capa… |
| AML.T0019 | Publish Poisoned Datasets | Adversaries may [Poison Training Data](/techniques/AML.T0020) and publish it to a public location. The poisoned dataset may be a novel dataset or a poisoned va… |
| AML.T0020 | Poison Training Data | Adversaries may attempt to poison datasets used by an AI model by modifying the underlying data or its labels. This allows the adversary to embed vulnerabiliti… |
| AML.T0021 | Establish Accounts | Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in [AI Attack Staging](/tactics/AML.TA0001), or … |
| AML.T0058 | Publish Poisoned Models | Adversaries may publish a poisoned model to a public location such as a model registry or code repository. The poisoned model may be a novel model or a poisone… |
| AML.T0060 | Publish Hallucinated Entities | Adversaries may create an entity they control, such as a software package, website, or email address to a source hallucinated by an LLM. The hallucinations may… |
| AML.T0065 | LLM Prompt Crafting | Adversaries may use their acquired knowledge of the target generative AI system to craft prompts that bypass its defenses and allow malicious instructions to b… |
| AML.T0066 | Retrieval Content Crafting | Adversaries may write content designed to be retrieved by user queries and influence a user of the system in some way. This abuses the trust the user has in th… |
| AML.T0079 | Stage Capabilities | Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take… |
| AML.T0104 | Publish Poisoned AI Agent Tool | Adversaries may create and publish poisoned AI agent tools. Poisoned tools may contain an [LLM Prompt Injection](/techniques/AML.T0051), which can lead to a va… |
Defense Evasion12
| ID | Title | Summary |
|---|---|---|
| AML.T0067 | LLM Trusted Output Components Manipulation | Adversaries may utilize prompts to a large language model (LLM) which manipulate various components of its response in order to make it appear trustworthy to t… |
| AML.T0068 | LLM Prompt Obfuscation | Adversaries may hide or otherwise obfuscate prompt injections or retrieval content to avoid detection from humans, large language model (LLM) guardrails, or ot… |
| AML.T0071 | False RAG Entry Injection | Adversaries may introduce false entries into a victim's retrieval augmented generation (RAG) database. Content designed to be interpreted as a document by the … |
| AML.T0073 | Impersonation | Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, … |
| AML.T0074 | Masquerading | Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs … |
| AML.T0076 | Corrupt AI Model | An adversary may purposefully corrupt a malicious AI model file so that it cannot be successfully deserialized in order to evade detection by a model scanner. … |
| AML.T0092 | Manipulate User LLM Chat History | Adversaries may manipulate a user's large language model (LLM) chat history to cover the tracks of their malicious behavior. They may hide persistent changes t… |
| AML.T0094 | Delay Execution of LLM Instructions | Adversaries may include instructions to be followed by the AI system in response to a future event, such as a specific keyword or the next interaction, in orde… |
| AML.T0097 | Virtualization/Sandbox Evasion | Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of … |
| AML.T0107 | Exploitation for Defense Evasion | Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advan… |
| AML.T0109 | AI Supply Chain Rug Pull | Adversaries may publish legitimate AI components or software, gain user adoption, then push an update with a malicious variant, leading to [AI Supply Chain Com… |
| AML.T0111 | AI Supply Chain Reputation Inflation | AI Supply Chain Reputation Inflation is the process of building or leveraging genuinely credible-looking trust signals to increase the perceived legitimacy of … |
Discovery9
| ID | Title | Summary |
|---|---|---|
| AML.T0007 | Discover AI Artifacts | Adversaries may search private sources to identify AI learning artifacts that exist on the system and gather information about them. These artifacts can includ… |
| AML.T0013 | Discover AI Model Ontology | Adversaries may discover the ontology of an AI model's output space, for example, the types of objects a model can detect. The adversary may discovery the onto… |
| AML.T0014 | Discover AI Model Family | Adversaries may discover the general family of model. General information about the model may be revealed in documentation, or the adversary may use carefully … |
| AML.T0062 | Discover LLM Hallucinations | Adversaries may prompt large language models and identify hallucinated entities. They may request software packages, commands, URLs, organization names, or e-m… |
| AML.T0063 | Discover AI Model Outputs | Adversaries may discover model outputs, such as class scores, whose presence is not required for the system to function and are not intended for use by the end… |
| AML.T0069 | Discover LLM System Information | The adversary is trying to discover something about the large language model's (LLM) system information. This may be found in a configuration file containing t… |
| AML.T0075 | Cloud Service Discovery | Adversaries may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), t… |
| AML.T0084 | Discover AI Agent Configuration | Adversaries may attempt to discover configuration information for AI agents present on the victim's system. Agent configurations can include tools or services … |
| AML.T0089 | Process Discovery | Adversaries may attempt to get information about processes running on a system. Once obtained, this information could be used to gain an understanding of commo… |
Impact8
| ID | Title | Summary |
|---|---|---|
| AML.T0029 | Denial of AI Service | Adversaries may target AI-enabled systems with a flood of requests for the purpose of degrading or shutting down the service. Since many AI systems require sig… |
| AML.T0031 | Erode AI Model Integrity | Adversaries may degrade the target model's performance with adversarial data inputs to erode confidence in the system over time. This can lead to the victim or… |
| AML.T0034 | Cost Harvesting | Adversaries may deliberately drive a victim's AI services beyond normal operating capacity with the intent of increasing the cost of services. This may be achi… |
| AML.T0046 | Spamming AI System with Chaff Data | Adversaries may spam the AI system with chaff data that causes increase in the number of detections. This can cause analysts at the victim organization to wast… |
| AML.T0048 | External Harms | Adversaries may abuse their access to a victim system and use its resources or capabilities to further their goals by causing harms external to that system. Th… |
| AML.T0059 | Erode Dataset Integrity | Adversaries may poison or manipulate portions of a dataset to reduce its usefulness, reduce trust, and cause users to waste resources correcting errors. |
| AML.T0101 | Data Destruction via AI Agent Tool Invocation | Adversaries may invoke an AI agent's tool capable of performing mutative operations to perform Data Destruction. Adversaries may destroy data and files on spec… |
| AML.T0112 | Machine Compromise | Adversaries may compromise a machine by exploiting or manipulating AI-enabled components on the system. Compromising a victim system allows the adversary to ex… |
Reconnaissance8
| ID | Title | Summary |
|---|---|---|
| AML.T0000 | Search Open Technical Databases | Adversaries may search for publicly available research and technical documentation to learn how and where AI is used within a victim organization. The adversar… |
| AML.T0001 | Search Open AI Vulnerability Analysis | Much like the [Search Open Technical Databases](/techniques/AML.T0000), there is often ample research available on the vulnerabilities of common AI models. Onc… |
| AML.T0003 | Search Victim-Owned Websites | Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain technical details abou… |
| AML.T0004 | Search Application Repositories | Adversaries may search open application repositories during targeting. Examples of these include Google Play, the iOS App store, the macOS App Store, and the M… |
| AML.T0006 | Active Scanning | An adversary may probe or scan the victim system to gather information for targeting. This is distinct from other reconnaissance techniques that do not involve… |
| AML.T0064 | Gather RAG-Indexed Targets | Adversaries may identify data sources used in retrieval augmented generation (RAG) systems for targeting purposes. By pinpointing these sources, attackers can … |
| AML.T0087 | Gather Victim Identity Information | Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details… |
| AML.T0095 | Search Open Websites/Domains | Adversaries may search public websites and/or domains for information about victims that can be used during targeting. Information about victims may be availab… |
Initial Access7
| ID | Title | Summary |
|---|---|---|
| AML.T0010 | AI Supply Chain Compromise | Adversaries may gain initial access to a system by compromising the unique portions of the AI supply chain. This could include [Hardware](/techniques/AML.T0010… |
| AML.T0012 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Credentials may take the form of usernames and password… |
| AML.T0015 | Evade AI Model | Adversaries can [Craft Adversarial Data](/techniques/AML.T0043) that prevents an AI model from correctly identifying the contents of the data or [Generate Deep… |
| AML.T0049 | Exploit Public-Facing Application | Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintende… |
| AML.T0052 | Phishing | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be… |
| AML.T0078 | Drive-by Compromise | Adversaries may gain access to an AI system through a user visiting a website over the normal course of browsing, or an AI agent retrieving information from th… |
| AML.T0093 | Prompt Infiltration via Public-Facing Application | An adversary may introduce malicious prompts into the victim's system via a public-facing application with the intention of it being ingested by an AI at some … |
Persistence7
| ID | Title | Summary |
|---|---|---|
| AML.T0018 | Manipulate AI Model | Adversaries may directly manipulate an AI model to change its behavior or introduce malicious code. Manipulating a model gives the adversary a persistent chang… |
| AML.T0061 | LLM Prompt Self-Replication | An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to cause the LLM to replicate the prompt as part of its output.… |
| AML.T0070 | RAG Poisoning | Adversaries may inject malicious content into data indexed by a retrieval augmented generation (RAG) system to contaminate a future thread through RAG-based se… |
| AML.T0080 | AI Agent Context Poisoning | Adversaries may attempt to manipulate the context used by an AI agent's large language model (LLM) to influence the responses it generates or actions it takes.… |
| AML.T0081 | Modify AI Agent Configuration | Adversaries may modify the configuration files for AI agents on a system. This allows malicious changes to persist beyond the life of a single agent and affect… |
| AML.T0099 | AI Agent Tool Data Poisoning | Adversaries may place malicious content on a victim's system where it can be retrieved by an AI Agent Tool. This may be accomplished by placing documents in a … |
| AML.T0110 | AI Agent Tool Poisoning | Adversaries may achieve persistence by poisoning tools used by AI agents including built-in tools or tools available to the agent via Model Context Protocol (M… |
Credential Access6
| ID | Title | Summary |
|---|---|---|
| AML.T0055 | Unsecured Credentials | Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations… |
| AML.T0082 | RAG Credential Harvesting | Adversaries may attempt to use their access to a large language model (LLM) on the victim's system to collect credentials. Credentials may be stored in interna… |
| AML.T0083 | Credentials from AI Agent Configuration | Adversaries may access the credentials of other tools or services on a system from the configuration of an AI agent. AI Agents often utilize external tools or… |
| AML.T0090 | OS Credential Dumping | Adversaries may extract credentials from OS caches, application memory, or other sources on a compromised system. Credentials are often in the form of a hash o… |
| AML.T0098 | AI Agent Tool Credential Harvesting | Adversaries may attempt to use their access to an AI agent on the victim's system to retrieve data from available agent tools to collect credentials. Agent too… |
| AML.T0106 | Exploitation for Credential Access | Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes … |
Execution6
| ID | Title | Summary |
|---|---|---|
| AML.T0011 | User Execution | An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain C… |
| AML.T0050 | Command and Scripting Interpreter | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting wit… |
| AML.T0051 | LLM Prompt Injection | An adversary may craft malicious prompts as inputs to an LLM that cause the LLM to act in unintended ways. These "prompt injections" are often designed to caus… |
| AML.T0053 | AI Agent Tool Invocation | Adversaries may use their access to an AI agent to invoke tools the agent has access to. LLMs are often connected to other services or resources via tools to i… |
| AML.T0100 | AI Agent Clickbait | Adversaries may craft deceptive web content designed to bait Computer-Using AI agents or AI web browsers into taking unintended actions, such as clicking butto… |
| AML.T0103 | Deploy AI Agent | Adversaries may launch AI agents in the victim's environment to execute actions on their behalf. AI agents may have access to a wide range of tools and data so… |
Exfiltration6
| ID | Title | Summary |
|---|---|---|
| AML.T0024 | Exfiltration via AI Inference API | Adversaries may exfiltrate private information via [AI Model Inference API Access](/techniques/AML.T0040). AI Models have been shown leak private information a… |
| AML.T0025 | Exfiltration via Cyber Means | Adversaries may exfiltrate AI artifacts or other information relevant to their goals via traditional cyber means. See the ATT&CK [Exfiltration](https://attack… |
| AML.T0056 | Extract LLM System Prompt | Adversaries may attempt to extract a large language model's (LLM) system prompt. This can be done via prompt injection to induce the model to reveal its own sy… |
| AML.T0057 | LLM Data Leakage | Adversaries may craft prompts that induce the LLM to leak sensitive information. This can include private user data or proprietary information. The leaked info… |
| AML.T0077 | LLM Response Rendering | An adversary may get a large language model (LLM) to respond with private information that is hidden from the user when the response is rendered by the user's … |
| AML.T0086 | Exfiltration via AI Agent Tool Invocation | AI agent tools capable of performing write operations may be invoked to exfiltrate data to an adversary. Sensitive information can be encoded into the tool's i… |
Ai Attack Staging5
| ID | Title | Summary |
|---|---|---|
| AML.T0005 | Create Proxy AI Model | Adversaries may obtain models to serve as proxies for the target model in use at the victim organization. Proxy models are used to simulate complete access to … |
| AML.T0042 | Verify Attack | Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model. This gives the adversary confidence … |
| AML.T0043 | Craft Adversarial Data | Adversarial data are inputs to an AI model that have been modified such that they cause the adversary's desired effect in the target model. Effects can range f… |
| AML.T0088 | Generate Deepfakes | Adversaries may use generative artificial intelligence (GenAI) to create synthetic media (i.e. imagery, video, audio, and text) that appear authentic. These "[… |
| AML.T0102 | Generate Malicious Commands | Adversaries may use large language models (LLMs) to dynamically generate malicious commands from natural language. Dynamically generated commands may be harder… |
Ai Model Access4
| ID | Title | Summary |
|---|---|---|
| AML.T0040 | AI Model Inference API Access | Adversaries may gain access to a model via legitimate access to the inference API. Inference API access can be a source of information to the adversary ([Disco… |
| AML.T0041 | Physical Environment Access | In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks. If the model … |
| AML.T0044 | Full AI Model Access | Adversaries may gain full "white-box" access to an AI model. This means the adversary has complete knowledge of the model architecture, its parameters, and cla… |
| AML.T0047 | AI-Enabled Product or Service | Adversaries may use a product or service that uses artificial intelligence under the hood to gain access to the underlying AI model. This type of indirect mode… |
Collection4
| ID | Title | Summary |
|---|---|---|
| AML.T0035 | AI Artifact Collection | Adversaries may collect AI artifacts for [Exfiltration](/tactics/AML.TA0010) or for use in [AI Attack Staging](/tactics/AML.TA0001). AI artifacts include model… |
| AML.T0036 | Data from Information Repositories | Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typic… |
| AML.T0037 | Data from Local System | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prio… |
| AML.T0085 | Data from AI Services | Adversaries may use their access to a victim organization's AI-enabled services to collect proprietary or otherwise sensitive information. As organizations ado… |
Command And Control3
| ID | Title | Summary |
|---|---|---|
| AML.T0072 | Reverse Shell | Adversaries may utilize a reverse shell to communicate and control the victim system. Typically, a user uses a client to connect to a remote machine which is … |
| AML.T0096 | AI Service API | Adversaries may communicate using the API of an AI service on the victim's system. The adversary's commands to the victim system, and often the results, are em… |
| AML.T0108 | AI Agent | Adversaries may abuse AI agents present on the victim's system for command and control. AI agents are often granted access to tools that can execute shell comm… |
Privilege Escalation2
| ID | Title | Summary |
|---|---|---|
| AML.T0054 | LLM Jailbreak | Adversaries may induce a large language model (LLM) to ignore, circumvent, or override its safety/alignment behaviors and/or guardails to elicit outputs the mo… |
| AML.T0105 | Escape to Host | Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containe… |
Lateral Movement1
| ID | Title | Summary |
|---|---|---|
| AML.T0091 | Use Alternate Authentication Material | Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally wit… |