{"framework":"MITRE ATLAS v5.1.0","total_tactics":16,"total_techniques":167,"total_safe_ai_threats":20,"tactics":[{"tactic_id":"AML.TA0000","name":"AI Model Access","description":"The adversary is attempting to gain some level of access to an AI model. AI Model Access enables techniques that use various types of access to the AI model that can be used by the adversary to gain information, develop attacks, and as a means to in","technique_count":4,"techniques":[{"id":"AML.T0040","name":"AI Model Inference API Access","is_subtechnique":false},{"id":"AML.T0041","name":"Physical Environment Access","is_subtechnique":false},{"id":"AML.T0044","name":"Full AI Model Access","is_subtechnique":false},{"id":"AML.T0047","name":"AI-Enabled Product or Service","is_subtechnique":false}]},{"tactic_id":"AML.TA0001","name":"AI Attack Staging","description":"The adversary is leveraging their knowledge of and access to the target system to tailor the attack. AI Attack Staging consists of techniques adversaries use to prepare their attack on the target AI model. Techniques can include training proxy model","technique_count":16,"techniques":[{"id":"AML.T0005","name":"Create Proxy AI Model","is_subtechnique":false},{"id":"AML.T0005.000","name":"Train Proxy via Gathered AI Artifacts","is_subtechnique":true},{"id":"AML.T0005.001","name":"Train Proxy via Replication","is_subtechnique":true},{"id":"AML.T0005.002","name":"Use Pre-Trained Model","is_subtechnique":true},{"id":"AML.T0018","name":"Manipulate AI Model","is_subtechnique":false},{"id":"AML.T0018.000","name":"Poison AI Model","is_subtechnique":true},{"id":"AML.T0018.001","name":"Modify AI Model Architecture","is_subtechnique":true},{"id":"AML.T0042","name":"Verify Attack","is_subtechnique":false},{"id":"AML.T0043","name":"Craft Adversarial Data","is_subtechnique":false},{"id":"AML.T0043.000","name":"White-Box Optimization","is_subtechnique":true},{"id":"AML.T0043.001","name":"Black-Box Optimization","is_subtechnique":true},{"id":"AML.T0043.002","name":"Black-Box Transfer","is_subtechnique":true},{"id":"AML.T0043.003","name":"Manual Modification","is_subtechnique":true},{"id":"AML.T0043.004","name":"Insert Backdoor Trigger","is_subtechnique":true},{"id":"AML.T0088","name":"Generate Deepfakes","is_subtechnique":false},{"id":"AML.T0102","name":"Generate Malicious Commands","is_subtechnique":false}]},{"tactic_id":"AML.TA0002","name":"Reconnaissance","description":"The adversary is trying to gather information about the AI system they can use to plan future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targetin","technique_count":11,"techniques":[{"id":"AML.T0000","name":"Search Open Technical Databases","is_subtechnique":false},{"id":"AML.T0000.000","name":"Journals and Conference Proceedings","is_subtechnique":true},{"id":"AML.T0000.001","name":"Pre-Print Repositories","is_subtechnique":true},{"id":"AML.T0000.002","name":"Technical Blogs","is_subtechnique":true},{"id":"AML.T0001","name":"Search Open AI Vulnerability Analysis","is_subtechnique":false},{"id":"AML.T0003","name":"Search Victim-Owned Websites","is_subtechnique":false},{"id":"AML.T0004","name":"Search Application Repositories","is_subtechnique":false},{"id":"AML.T0006","name":"Active Scanning","is_subtechnique":false},{"id":"AML.T0064","name":"Gather RAG-Indexed Targets","is_subtechnique":false},{"id":"AML.T0087","name":"Gather Victim Identity Information","is_subtechnique":false},{"id":"AML.T0095","name":"Search Open Websites/Domains","is_subtechnique":false}]},{"tactic_id":"AML.TA0003","name":"Resource Development","description":"The adversary is trying to establish resources they can use to support operations. Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. S","technique_count":22,"techniques":[{"id":"AML.T0002","name":"Acquire Public AI Artifacts","is_subtechnique":false},{"id":"AML.T0002.000","name":"Datasets","is_subtechnique":true},{"id":"AML.T0002.001","name":"Models","is_subtechnique":true},{"id":"AML.T0008","name":"Acquire Infrastructure","is_subtechnique":false},{"id":"AML.T0008.000","name":"AI Development Workspaces","is_subtechnique":true},{"id":"AML.T0008.001","name":"Consumer Hardware","is_subtechnique":true},{"id":"AML.T0011.002","name":"Poisoned AI Agent Tool","is_subtechnique":true},{"id":"AML.T0011.003","name":"Malicious Link","is_subtechnique":true},{"id":"AML.T0016","name":"Obtain Capabilities","is_subtechnique":false},{"id":"AML.T0016.000","name":"Adversarial AI Attack Implementations","is_subtechnique":true},{"id":"AML.T0016.001","name":"Software Tools","is_subtechnique":true},{"id":"AML.T0017","name":"Develop Capabilities","is_subtechnique":false},{"id":"AML.T0017.000","name":"Adversarial AI Attacks","is_subtechnique":true},{"id":"AML.T0019","name":"Publish Poisoned Datasets","is_subtechnique":false},{"id":"AML.T0020","name":"Poison Training Data","is_subtechnique":false},{"id":"AML.T0021","name":"Establish Accounts","is_subtechnique":false},{"id":"AML.T0058","name":"Publish Poisoned Models","is_subtechnique":false},{"id":"AML.T0060","name":"Publish Hallucinated Entities","is_subtechnique":false},{"id":"AML.T0065","name":"LLM Prompt Crafting","is_subtechnique":false},{"id":"AML.T0066","name":"Retrieval Content Crafting","is_subtechnique":false},{"id":"AML.T0079","name":"Stage Capabilities","is_subtechnique":false},{"id":"AML.T0104","name":"Publish Poisoned AI Agent Tool","is_subtechnique":false}]},{"tactic_id":"AML.TA0004","name":"Initial Access","description":"The adversary is trying to gain access to the AI system. The target system could be a network, mobile device, or an edge device such as a sensor platform. The AI capabilities used by the system could be local with onboard or cloud-enabled AI capabil","technique_count":12,"techniques":[{"id":"AML.T0010","name":"AI Supply Chain Compromise","is_subtechnique":false},{"id":"AML.T0010.000","name":"Hardware","is_subtechnique":true},{"id":"AML.T0010.001","name":"AI Software","is_subtechnique":true},{"id":"AML.T0010.002","name":"Data","is_subtechnique":true},{"id":"AML.T0010.003","name":"Model","is_subtechnique":true},{"id":"AML.T0012","name":"Valid Accounts","is_subtechnique":false},{"id":"AML.T0015","name":"Evade AI Model","is_subtechnique":false},{"id":"AML.T0049","name":"Exploit Public-Facing Application","is_subtechnique":false},{"id":"AML.T0052","name":"Phishing","is_subtechnique":false},{"id":"AML.T0052.000","name":"Spearphishing via Social Engineering LLM","is_subtechnique":true},{"id":"AML.T0078","name":"Drive-by Compromise","is_subtechnique":false},{"id":"AML.T0093","name":"Prompt Infiltration via Public-Facing Application","is_subtechnique":false}]},{"tactic_id":"AML.TA0005","name":"Execution","description":"The adversary is trying to run malicious code embedded in AI artifacts or software. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired wi","technique_count":9,"techniques":[{"id":"AML.T0011","name":"User Execution","is_subtechnique":false},{"id":"AML.T0011.000","name":"Unsafe AI Artifacts","is_subtechnique":true},{"id":"AML.T0050","name":"Command and Scripting Interpreter","is_subtechnique":false},{"id":"AML.T0051","name":"LLM Prompt Injection","is_subtechnique":false},{"id":"AML.T0051.000","name":"Direct","is_subtechnique":true},{"id":"AML.T0051.001","name":"Indirect","is_subtechnique":true},{"id":"AML.T0053","name":"AI Agent Tool Invocation","is_subtechnique":false},{"id":"AML.T0100","name":"AI Agent Clickbait","is_subtechnique":false},{"id":"AML.T0103","name":"Deploy AI Agent","is_subtechnique":false}]},{"tactic_id":"AML.TA0006","name":"Persistence","description":"The adversary is trying to maintain their foothold via AI artifacts or software. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their","technique_count":18,"techniques":[{"id":"AML.T0010.005","name":"AI Agent Tool","is_subtechnique":true},{"id":"AML.T0018","name":"Manipulate AI Model","is_subtechnique":false},{"id":"AML.T0018.000","name":"Poison AI Model","is_subtechnique":true},{"id":"AML.T0018.001","name":"Modify AI Model Architecture","is_subtechnique":true},{"id":"AML.T0020","name":"Poison Training Data","is_subtechnique":false},{"id":"AML.T0034.000","name":"Excessive Queries","is_subtechnique":true},{"id":"AML.T0034.001","name":"Resource-Intensive Queries","is_subtechnique":true},{"id":"AML.T0034.002","name":"Agentic Resource Consumption","is_subtechnique":true},{"id":"AML.T0061","name":"LLM Prompt Self-Replication","is_subtechnique":false},{"id":"AML.T0070","name":"RAG Poisoning","is_subtechnique":false},{"id":"AML.T0080","name":"AI Agent Context Poisoning","is_subtechnique":false},{"id":"AML.T0080.000","name":"Memory","is_subtechnique":true},{"id":"AML.T0080.001","name":"Thread","is_subtechnique":true},{"id":"AML.T0081","name":"Modify AI Agent Configuration","is_subtechnique":false},{"id":"AML.T0084.003","name":"Call Chains","is_subtechnique":true},{"id":"AML.T0093","name":"Prompt Infiltration via Public-Facing Application","is_subtechnique":false},{"id":"AML.T0099","name":"AI Agent Tool Data Poisoning","is_subtechnique":false},{"id":"AML.T0110","name":"AI Agent Tool Poisoning","is_subtechnique":false}]},{"tactic_id":"AML.TA0007","name":"Defense Evasion","description":"The adversary is trying to avoid being detected by AI-enabled security software. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include evading AI-enabl","technique_count":20,"techniques":[{"id":"AML.T0010.004","name":"Container Registry","is_subtechnique":true},{"id":"AML.T0015","name":"Evade AI Model","is_subtechnique":false},{"id":"AML.T0018.002","name":"Embed Malware","is_subtechnique":true},{"id":"AML.T0051.002","name":"Triggered","is_subtechnique":true},{"id":"AML.T0054","name":"LLM Jailbreak","is_subtechnique":false},{"id":"AML.T0067","name":"LLM Trusted Output Components Manipulation","is_subtechnique":false},{"id":"AML.T0067.000","name":"Citations","is_subtechnique":true},{"id":"AML.T0068","name":"LLM Prompt Obfuscation","is_subtechnique":false},{"id":"AML.T0071","name":"False RAG Entry Injection","is_subtechnique":false},{"id":"AML.T0073","name":"Impersonation","is_subtechnique":false},{"id":"AML.T0074","name":"Masquerading","is_subtechnique":false},{"id":"AML.T0076","name":"Corrupt AI Model","is_subtechnique":false},{"id":"AML.T0081","name":"Modify AI Agent Configuration","is_subtechnique":false},{"id":"AML.T0091.000","name":"Application Access Token","is_subtechnique":true},{"id":"AML.T0092","name":"Manipulate User LLM Chat History","is_subtechnique":false},{"id":"AML.T0094","name":"Delay Execution of LLM Instructions","is_subtechnique":false},{"id":"AML.T0097","name":"Virtualization/Sandbox Evasion","is_subtechnique":false},{"id":"AML.T0107","name":"Exploitation for Defense Evasion","is_subtechnique":false},{"id":"AML.T0109","name":"AI Supply Chain Rug Pull","is_subtechnique":false},{"id":"AML.T0111","name":"AI Supply Chain Reputation Inflation","is_subtechnique":false}]},{"tactic_id":"AML.TA0008","name":"Discovery","description":"The adversary is trying to figure out your AI environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves","technique_count":18,"techniques":[{"id":"AML.T0007","name":"Discover AI Artifacts","is_subtechnique":false},{"id":"AML.T0008.002","name":"Domains","is_subtechnique":true},{"id":"AML.T0008.003","name":"Physical Countermeasures","is_subtechnique":true},{"id":"AML.T0013","name":"Discover AI Model Ontology","is_subtechnique":false},{"id":"AML.T0014","name":"Discover AI Model Family","is_subtechnique":false},{"id":"AML.T0016.002","name":"Generative AI","is_subtechnique":true},{"id":"AML.T0062","name":"Discover LLM Hallucinations","is_subtechnique":false},{"id":"AML.T0063","name":"Discover AI Model Outputs","is_subtechnique":false},{"id":"AML.T0069","name":"Discover LLM System Information","is_subtechnique":false},{"id":"AML.T0069.000","name":"Special Character Sets","is_subtechnique":true},{"id":"AML.T0069.001","name":"System Instruction Keywords","is_subtechnique":true},{"id":"AML.T0069.002","name":"System Prompt","is_subtechnique":true},{"id":"AML.T0075","name":"Cloud Service Discovery","is_subtechnique":false},{"id":"AML.T0084","name":"Discover AI Agent Configuration","is_subtechnique":false},{"id":"AML.T0084.000","name":"Embedded Knowledge","is_subtechnique":true},{"id":"AML.T0084.001","name":"Tool Definitions","is_subtechnique":true},{"id":"AML.T0084.002","name":"Activation Triggers","is_subtechnique":true},{"id":"AML.T0089","name":"Process Discovery","is_subtechnique":false}]},{"tactic_id":"AML.TA0009","name":"Collection","description":"The adversary is trying to gather AI artifacts and other related information relevant to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to follo","technique_count":6,"techniques":[{"id":"AML.T0035","name":"AI Artifact Collection","is_subtechnique":false},{"id":"AML.T0036","name":"Data from Information Repositories","is_subtechnique":false},{"id":"AML.T0037","name":"Data from Local System","is_subtechnique":false},{"id":"AML.T0085","name":"Data from AI Services","is_subtechnique":false},{"id":"AML.T0085.000","name":"RAG Databases","is_subtechnique":true},{"id":"AML.T0085.001","name":"AI Agent Tools","is_subtechnique":true}]},{"tactic_id":"AML.TA0010","name":"Exfiltration","description":"The adversary is trying to steal AI artifacts or other information about the AI system. Exfiltration consists of techniques that adversaries may use to steal data from your network. Data may be stolen for its valuable intellectual property, or for u","technique_count":10,"techniques":[{"id":"AML.T0008.004","name":"Serverless","is_subtechnique":true},{"id":"AML.T0024","name":"Exfiltration via AI Inference API","is_subtechnique":false},{"id":"AML.T0024.000","name":"Infer Training Data Membership","is_subtechnique":true},{"id":"AML.T0024.001","name":"Invert AI Model","is_subtechnique":true},{"id":"AML.T0024.002","name":"Extract AI Model","is_subtechnique":true},{"id":"AML.T0025","name":"Exfiltration via Cyber Means","is_subtechnique":false},{"id":"AML.T0056","name":"Extract LLM System Prompt","is_subtechnique":false},{"id":"AML.T0057","name":"LLM Data Leakage","is_subtechnique":false},{"id":"AML.T0077","name":"LLM Response Rendering","is_subtechnique":false},{"id":"AML.T0086","name":"Exfiltration via AI Agent Tool Invocation","is_subtechnique":false}]},{"tactic_id":"AML.TA0011","name":"Impact","description":"The adversary is trying to manipulate, interrupt, erode confidence in, or destroy your AI systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational p","technique_count":18,"techniques":[{"id":"AML.T0008.005","name":"AI Service Proxies","is_subtechnique":true},{"id":"AML.T0011.001","name":"Malicious Package","is_subtechnique":true},{"id":"AML.T0015","name":"Evade AI Model","is_subtechnique":false},{"id":"AML.T0029","name":"Denial of AI Service","is_subtechnique":false},{"id":"AML.T0031","name":"Erode AI Model Integrity","is_subtechnique":false},{"id":"AML.T0034","name":"Cost Harvesting","is_subtechnique":false},{"id":"AML.T0046","name":"Spamming AI System with Chaff Data","is_subtechnique":false},{"id":"AML.T0048","name":"External Harms","is_subtechnique":false},{"id":"AML.T0048.000","name":"Financial Harm","is_subtechnique":true},{"id":"AML.T0048.001","name":"Reputational Harm","is_subtechnique":true},{"id":"AML.T0048.002","name":"Societal Harm","is_subtechnique":true},{"id":"AML.T0048.003","name":"User Harm","is_subtechnique":true},{"id":"AML.T0048.004","name":"AI Intellectual Property Theft","is_subtechnique":true},{"id":"AML.T0059","name":"Erode Dataset Integrity","is_subtechnique":false},{"id":"AML.T0101","name":"Data Destruction via AI Agent Tool Invocation","is_subtechnique":false},{"id":"AML.T0112","name":"Machine Compromise","is_subtechnique":false},{"id":"AML.T0112.000","name":"Local AI Agent","is_subtechnique":true},{"id":"AML.T0112.001","name":"AI Artifacts","is_subtechnique":true}]},{"tactic_id":"AML.TA0012","name":"Privilege Escalation","description":"The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged a","technique_count":4,"techniques":[{"id":"AML.T0012","name":"Valid Accounts","is_subtechnique":false},{"id":"AML.T0053","name":"AI Agent Tool Invocation","is_subtechnique":false},{"id":"AML.T0054","name":"LLM Jailbreak","is_subtechnique":false},{"id":"AML.T0105","name":"Escape to Host","is_subtechnique":false}]},{"tactic_id":"AML.TA0013","name":"Credential Access","description":"The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legi","technique_count":6,"techniques":[{"id":"AML.T0055","name":"Unsecured Credentials","is_subtechnique":false},{"id":"AML.T0082","name":"RAG Credential Harvesting","is_subtechnique":false},{"id":"AML.T0083","name":"Credentials from AI Agent Configuration","is_subtechnique":false},{"id":"AML.T0090","name":"OS Credential Dumping","is_subtechnique":false},{"id":"AML.T0098","name":"AI Agent Tool Credential Harvesting","is_subtechnique":false},{"id":"AML.T0106","name":"Exploitation for Credential Access","is_subtechnique":false}]},{"tactic_id":"AML.TA0014","name":"Command and Control","description":"The adversary is trying to communicate with compromised AI systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly att","technique_count":3,"techniques":[{"id":"AML.T0072","name":"Reverse Shell","is_subtechnique":false},{"id":"AML.T0096","name":"AI Service API","is_subtechnique":false},{"id":"AML.T0108","name":"AI Agent","is_subtechnique":false}]},{"tactic_id":"AML.TA0015","name":"Lateral Movement","description":"The adversary is trying to move through your AI environment. Lateral Movement consists of techniques that adversaries may use to gain access to and control other systems or components in the environment. Adversaries may pivot towards AI Ops infrastr","technique_count":3,"techniques":[{"id":"AML.T0052","name":"Phishing","is_subtechnique":false},{"id":"AML.T0052.000","name":"Spearphishing via Social Engineering LLM","is_subtechnique":true},{"id":"AML.T0091","name":"Use Alternate Authentication Material","is_subtechnique":false}]}],"llm_specific_techniques":[{"id":"AML.T0051","name":"LLM Prompt Injection","tactic_names":["Execution"],"description":"An adversary may craft malicious prompts as inputs to an LLM that cause the LLM to act in unintended ways. These \\\"prompt injections\\\" are often designed to cause the model to ignore aspects of its or"},{"id":"AML.T0052.000","name":"Spearphishing via Social Engineering LLM","tactic_names":["Initial Access","Lateral Movement"],"description":"Adversaries may turn LLMs into targeted social engineers. LLMs are capable of interacting with users via text conversations. They can be instructed by an adversary to seek sensitive information from a"},{"id":"AML.T0054","name":"LLM Jailbreak","tactic_names":["Privilege Escalation","Defense Evasion"],"description":"An adversary may target the inputs or the architecture of an LLM, placing it in a state where it will freely respond to user input, bypassing any controls, restrictions, or guardrails placed on the LL"},{"id":"AML.T0056","name":"Extract LLM System Prompt","tactic_names":["Exfiltration"],"description":"Adversaries may attempt to extract a large language model's (LLM) system prompt. This can be done via prompt injection to induce the model to reveal its own system prompt or may be extracted from a co"},{"id":"AML.T0057","name":"LLM Data Leakage","tactic_names":["Exfiltration"],"description":"Adversaries may craft prompts that induce the LLM to leak sensitive information. This can include private user data or proprietary information. The leaked information may come from proprietary trainin"},{"id":"AML.T0061","name":"LLM Prompt Self-Replication","tactic_names":["Persistence"],"description":"An adversary may use a carefully crafted LLM Prompt Injection designed to cause the LLM to replicate the prompt as part of its output. This allows the prompt to propagate to other LLMs and persist on "},{"id":"AML.T0062","name":"Discover LLM Hallucinations","tactic_names":["Discovery"],"description":"Adversaries may prompt large language models and identify hallucinated entities. They may request software packages, commands, URLs, organization names, or e-mail addresses, and identify hallucination"},{"id":"AML.T0065","name":"LLM Prompt Crafting","tactic_names":["Resource Development"],"description":"Adversaries may use their acquired knowledge of the target generative AI system to craft prompts that bypass its defenses and allow malicious instructions to be executed. The adversary may iterate on "},{"id":"AML.T0067","name":"LLM Trusted Output Components Manipulation","tactic_names":["Defense Evasion"],"description":"Adversaries may utilize prompts to a large language model (LLM) which manipulate various components of its response in order to make it appear trustworthy to the user. This helps the adversary continu"},{"id":"AML.T0068","name":"LLM Prompt Obfuscation","tactic_names":["Defense Evasion"],"description":"Adversaries may hide or otherwise obfuscate prompt injections or retrieval content to avoid detection from humans, large language model (LLM) guardrails, or other detection mechanisms. For text inputs"},{"id":"AML.T0069","name":"Discover LLM System Information","tactic_names":["Discovery"],"description":"The adversary is trying to discover something about the large language model's (LLM) system information. This may be found in a configuration file containing the system instructions or extracted via i"},{"id":"AML.T0077","name":"LLM Response Rendering","tactic_names":["Exfiltration"],"description":"An adversary may get a large language model (LLM) to respond with private information that is hidden from the user when the response is rendered by the user's client. The private information is then e"},{"id":"AML.T0092","name":"Manipulate User LLM Chat History","tactic_names":["Defense Evasion"],"description":"Adversaries may manipulate a user's large language model (LLM) chat history to cover the tracks of their malicious behavior. They may hide persistent changes they have made to the LLM's behavior, or o"},{"id":"AML.T0094","name":"Delay Execution of LLM Instructions","tactic_names":["Defense Evasion"],"description":"Adversaries may include instructions to be followed by the AI system in response to a future event, such as a specific keyword or the next interaction, in order to evade detection or bypass controls p"}],"source":"MITRE ATLAS + SAFE-AI Framework (MP250397)"}