@blamejs/exceptd-skills 0.10.0 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -0
- package/bin/exceptd.js +303 -9
- package/data/_indexes/_meta.json +2 -2
- package/data/playbooks/ai-api.json +400 -90
- package/data/playbooks/containers.json +406 -94
- package/data/playbooks/cred-stores.json +374 -89
- package/data/playbooks/crypto.json +369 -87
- package/data/playbooks/framework.json +376 -86
- package/data/playbooks/hardening.json +357 -84
- package/data/playbooks/kernel.json +324 -77
- package/data/playbooks/mcp.json +407 -92
- package/data/playbooks/runtime.json +345 -81
- package/data/playbooks/sbom.json +497 -111
- package/data/playbooks/secrets.json +352 -83
- package/lib/playbook-runner.js +77 -7
- package/lib/schemas/playbook.schema.json +5 -0
- package/manifest-snapshot.json +1 -1
- package/manifest.json +39 -39
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
|
@@ -10,11 +10,19 @@
|
|
|
10
10
|
"date": "2026-05-11",
|
|
11
11
|
"summary": "Initial seven-phase AI-API C2 + credential-exposure playbook. Covers SesameOp / PROMPTFLUX / PROMPTSTEAL behavioral signatures (ATLAS AML.T0096), dotfile API-key inventory (Anthropic / OpenAI / Gemini), and cloud credential exposure (~/.aws/credentials, ~/.config/gcloud, ~/.kube/config) that an AI-API C2 adversary would harvest. Full GRC closure with EU AI Act + NIS2 + DORA notification clocks.",
|
|
12
12
|
"cves_added": [],
|
|
13
|
-
"framework_gaps_updated": [
|
|
13
|
+
"framework_gaps_updated": [
|
|
14
|
+
"nist-800-53-SI-3",
|
|
15
|
+
"nist-800-53-SC-7",
|
|
16
|
+
"nist-800-53-AC-2",
|
|
17
|
+
"iso-27001-2022-A.8.16",
|
|
18
|
+
"soc2-CC7",
|
|
19
|
+
"eu-ai-act-art15"
|
|
20
|
+
]
|
|
14
21
|
}
|
|
15
22
|
],
|
|
16
23
|
"owner": "@blamejs/ai-security",
|
|
17
24
|
"air_gap_mode": false,
|
|
25
|
+
"scope": "service",
|
|
18
26
|
"preconditions": [
|
|
19
27
|
{
|
|
20
28
|
"id": "filesystem-read",
|
|
@@ -45,24 +53,51 @@
|
|
|
45
53
|
}
|
|
46
54
|
]
|
|
47
55
|
},
|
|
48
|
-
|
|
49
56
|
"domain": {
|
|
50
57
|
"name": "AI-API as covert command-and-control + dotfile credential exposure",
|
|
51
58
|
"attack_class": "ai-c2",
|
|
52
|
-
"atlas_refs": [
|
|
53
|
-
|
|
59
|
+
"atlas_refs": [
|
|
60
|
+
"AML.T0096",
|
|
61
|
+
"AML.T0017"
|
|
62
|
+
],
|
|
63
|
+
"attack_refs": [
|
|
64
|
+
"T1071",
|
|
65
|
+
"T1102",
|
|
66
|
+
"T1568",
|
|
67
|
+
"T1552.001",
|
|
68
|
+
"T1555"
|
|
69
|
+
],
|
|
54
70
|
"cve_refs": [],
|
|
55
|
-
"cwe_refs": [
|
|
56
|
-
|
|
71
|
+
"cwe_refs": [
|
|
72
|
+
"CWE-522",
|
|
73
|
+
"CWE-256",
|
|
74
|
+
"CWE-798",
|
|
75
|
+
"CWE-312"
|
|
76
|
+
],
|
|
77
|
+
"d3fend_refs": [
|
|
78
|
+
"D3-CA",
|
|
79
|
+
"D3-NTA",
|
|
80
|
+
"D3-NTPM",
|
|
81
|
+
"D3-IOPR",
|
|
82
|
+
"D3-NI"
|
|
83
|
+
],
|
|
57
84
|
"frameworks_in_scope": [
|
|
58
|
-
"nist-800-53",
|
|
59
|
-
"
|
|
60
|
-
"
|
|
85
|
+
"nist-800-53",
|
|
86
|
+
"nist-csf-2",
|
|
87
|
+
"iso-27001-2022",
|
|
88
|
+
"soc2",
|
|
89
|
+
"pci-dss-4",
|
|
90
|
+
"nis2",
|
|
91
|
+
"dora",
|
|
92
|
+
"eu-ai-act",
|
|
93
|
+
"uk-caf",
|
|
94
|
+
"au-ism",
|
|
95
|
+
"au-essential-8",
|
|
96
|
+
"hipaa",
|
|
97
|
+
"cmmc"
|
|
61
98
|
]
|
|
62
99
|
},
|
|
63
|
-
|
|
64
100
|
"phases": {
|
|
65
|
-
|
|
66
101
|
"govern": {
|
|
67
102
|
"jurisdiction_obligations": [
|
|
68
103
|
{
|
|
@@ -71,7 +106,12 @@
|
|
|
71
106
|
"obligation": "notify_regulator",
|
|
72
107
|
"window_hours": 24,
|
|
73
108
|
"clock_starts": "detect_confirmed",
|
|
74
|
-
"evidence_required": [
|
|
109
|
+
"evidence_required": [
|
|
110
|
+
"affected_host_inventory",
|
|
111
|
+
"ai_api_endpoint_beaconing_evidence",
|
|
112
|
+
"credential_exposure_scope",
|
|
113
|
+
"interim_isolation_record"
|
|
114
|
+
]
|
|
75
115
|
},
|
|
76
116
|
{
|
|
77
117
|
"jurisdiction": "EU",
|
|
@@ -79,7 +119,11 @@
|
|
|
79
119
|
"obligation": "notify_regulator",
|
|
80
120
|
"window_hours": 72,
|
|
81
121
|
"clock_starts": "analyze_complete",
|
|
82
|
-
"evidence_required": [
|
|
122
|
+
"evidence_required": [
|
|
123
|
+
"full_incident_assessment",
|
|
124
|
+
"credential_rotation_record",
|
|
125
|
+
"remediation_plan"
|
|
126
|
+
]
|
|
83
127
|
},
|
|
84
128
|
{
|
|
85
129
|
"jurisdiction": "EU",
|
|
@@ -87,7 +131,11 @@
|
|
|
87
131
|
"obligation": "notify_regulator",
|
|
88
132
|
"window_hours": 4,
|
|
89
133
|
"clock_starts": "detect_confirmed",
|
|
90
|
-
"evidence_required": [
|
|
134
|
+
"evidence_required": [
|
|
135
|
+
"initial_notification",
|
|
136
|
+
"ict_third_party_dependencies",
|
|
137
|
+
"financial_data_exposure_scope"
|
|
138
|
+
]
|
|
91
139
|
},
|
|
92
140
|
{
|
|
93
141
|
"jurisdiction": "EU",
|
|
@@ -95,7 +143,11 @@
|
|
|
95
143
|
"obligation": "notify_regulator",
|
|
96
144
|
"window_hours": 360,
|
|
97
145
|
"clock_starts": "analyze_complete",
|
|
98
|
-
"evidence_required": [
|
|
146
|
+
"evidence_required": [
|
|
147
|
+
"serious_incident_assessment",
|
|
148
|
+
"ai_system_misuse_evidence",
|
|
149
|
+
"tool_provenance_audit"
|
|
150
|
+
]
|
|
99
151
|
},
|
|
100
152
|
{
|
|
101
153
|
"jurisdiction": "EU",
|
|
@@ -103,7 +155,11 @@
|
|
|
103
155
|
"obligation": "notify_supervisory_authority",
|
|
104
156
|
"window_hours": 72,
|
|
105
157
|
"clock_starts": "detect_confirmed",
|
|
106
|
-
"evidence_required": [
|
|
158
|
+
"evidence_required": [
|
|
159
|
+
"personal_data_scope_assessment",
|
|
160
|
+
"high_risk_to_data_subjects_determination",
|
|
161
|
+
"containment_measures"
|
|
162
|
+
]
|
|
107
163
|
},
|
|
108
164
|
{
|
|
109
165
|
"jurisdiction": "AU",
|
|
@@ -111,7 +167,10 @@
|
|
|
111
167
|
"obligation": "notify_regulator",
|
|
112
168
|
"window_hours": 72,
|
|
113
169
|
"clock_starts": "validate_complete",
|
|
114
|
-
"evidence_required": [
|
|
170
|
+
"evidence_required": [
|
|
171
|
+
"materiality_assessment",
|
|
172
|
+
"remediation_completed_evidence"
|
|
173
|
+
]
|
|
115
174
|
}
|
|
116
175
|
],
|
|
117
176
|
"theater_fingerprints": [
|
|
@@ -119,25 +178,39 @@
|
|
|
119
178
|
"pattern_id": "egress-allowlist-with-ai-vendors-open",
|
|
120
179
|
"claim": "Egress is allowlisted — only approved domains permitted (SC-7 / A.8.16 / CC7).",
|
|
121
180
|
"fast_detection_test": "Walk the egress allowlist. If api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, *.azure.com, or equivalent AI-vendor endpoints are wholesale-permitted with no per-process restriction or no DLP on payloads, the allowlist gates business websites and leaves the AI-API C2 channel wide open. Theater unless AI-API endpoints are gated by (a) per-process allowlist, (b) bearer-token attribution, AND (c) request/response content inspection or rate baselining.",
|
|
122
|
-
"implicated_controls": [
|
|
181
|
+
"implicated_controls": [
|
|
182
|
+
"nist-800-53-SC-7",
|
|
183
|
+
"iso-27001-2022-A.8.16",
|
|
184
|
+
"soc2-CC7"
|
|
185
|
+
]
|
|
123
186
|
},
|
|
124
187
|
{
|
|
125
188
|
"pattern_id": "ac-2-passes-when-ai-account-misused",
|
|
126
189
|
"claim": "Logical access control (AC-2 / CC6) is operating — only authorized identities access sensitive resources.",
|
|
127
190
|
"fast_detection_test": "Pick any AI-API-using service account on the host. Confirm whether that account's API key has been used for unexpected workloads (extremely high token count, response sizes far from baseline, time-of-day pattern outside normal usage). If anomalies exist, the AC-2 audit was checking that the account was authorized — not that the authorization wasn't abused as a C2 vehicle.",
|
|
128
|
-
"implicated_controls": [
|
|
191
|
+
"implicated_controls": [
|
|
192
|
+
"nist-800-53-AC-2",
|
|
193
|
+
"soc2-CC6"
|
|
194
|
+
]
|
|
129
195
|
},
|
|
130
196
|
{
|
|
131
197
|
"pattern_id": "secrets-scan-of-repos-only",
|
|
132
198
|
"claim": "Secrets scanning is in place — all repositories scanned for committed keys (CM-7 / A.8.30).",
|
|
133
199
|
"fast_detection_test": "Inspect the runtime developer endpoint, not the repo. Read ~/.bashrc, ~/.zshrc, ~/.profile, ~/.config/fish/, ~/.aws/credentials, ~/.config/gcloud/credentials.db, ~/.kube/config, ~/.netrc, ~/.docker/config.json, ~/.npmrc, and assistant-specific dotfiles (~/.codeium, ~/.cursor, ~/.claude). If long-lived API keys exist in any of these but the org's secrets-scanning program only scans repos, the program is structurally blind to where exfiltration actually originates.",
|
|
134
|
-
"implicated_controls": [
|
|
200
|
+
"implicated_controls": [
|
|
201
|
+
"nist-800-53-IA-5",
|
|
202
|
+
"iso-27001-2022-A.8.30",
|
|
203
|
+
"soc2-CC6"
|
|
204
|
+
]
|
|
135
205
|
},
|
|
136
206
|
{
|
|
137
207
|
"pattern_id": "ai-traffic-classified-as-business-as-usual",
|
|
138
208
|
"claim": "SOC 2 CC7 anomaly detection covers all egress — baseline established.",
|
|
139
209
|
"fast_detection_test": "Ask the SOC for an example anomaly that was triaged in the last 30 days where the source was AI-API traffic. If they cannot produce one, the baseline is treating AI-API traffic as legitimate by definition — which is exactly the SesameOp adversary's bet. Theater unless AI-API egress has its own behavioral baseline distinct from SaaS API traffic.",
|
|
140
|
-
"implicated_controls": [
|
|
210
|
+
"implicated_controls": [
|
|
211
|
+
"soc2-CC7",
|
|
212
|
+
"iso-27001-2022-A.8.16"
|
|
213
|
+
]
|
|
141
214
|
}
|
|
142
215
|
],
|
|
143
216
|
"framework_context": {
|
|
@@ -188,9 +261,14 @@
|
|
|
188
261
|
}
|
|
189
262
|
]
|
|
190
263
|
},
|
|
191
|
-
"skill_preload": [
|
|
264
|
+
"skill_preload": [
|
|
265
|
+
"ai-c2-detection",
|
|
266
|
+
"framework-gap-analysis",
|
|
267
|
+
"compliance-theater",
|
|
268
|
+
"global-grc",
|
|
269
|
+
"policy-exception-gen"
|
|
270
|
+
]
|
|
192
271
|
},
|
|
193
|
-
|
|
194
272
|
"direct": {
|
|
195
273
|
"threat_context": "AI-as-C2 landscape mid-2026: SesameOp campaign (ATLAS AML.T0096) — the canonical pattern of adversaries repurposing AI agent APIs as covert C2 — has been replicated and expanded across multiple threat actor sets through Q1-Q2 2026. PROMPTFLUX (Mandiant attribution, late 2025) demonstrated polymorphic AI-API C2 with rotating encoding schemes per session. PROMPTSTEAL extended the pattern to RAG-pipeline poisoning where stored AI conversations carry exfiltrated content. The technical pattern: compromised host encodes commands or exfiltrated data as base64 (or homoglyphs, or natural-language-shaped payloads) inside semantically valid prompts to OpenAI / Anthropic / Google / Azure AI endpoints; attacker reads the relayed payload via the legitimate API. The AI API is transport — not the attacker's infrastructure. Detection at the network layer: nearly impossible without behavioral baselining specific to AI-API traffic. Detection at the host layer: requires monitoring the process that originates the API calls (rogue process talking to api.openai.com from an unexpected service account is the strongest signal). Companion attack: credential harvesting from dotfiles. Once userland code execution is achieved (via MCP supply-chain, prompt injection, or AI-API C2 delivered payload), attacker reads ~/.aws/credentials, ~/.config/gcloud, ~/.kube/config, ~/.netrc, ~/.docker/config.json, vendor dotfiles, npm tokens — the modern developer endpoint is a credential warehouse. Cleartext API keys in dotfiles are documented in ~70% of developer-endpoint forensic reviews. Compliance frameworks have not caught up: NIST SI-3/SC-7, ISO A.8.16, SOC 2 CC7 do not have AI-API baselines and treat the channel as business-as-usual.",
|
|
196
274
|
"rwep_threshold": {
|
|
@@ -200,11 +278,33 @@
|
|
|
200
278
|
},
|
|
201
279
|
"framework_lag_declaration": "NIST 800-53 SI-3/SC-7/AC-2, ISO 27001:2022 A.8.16, SOC 2 CC6/CC7, EU AI Act Art.15 are all structurally insufficient for AI-API C2. The shared failure: each control treats the AI API endpoint as a legitimate authorized SaaS, the service account using it as authorized, and the traffic over it as business-as-usual. The SesameOp pattern operates entirely inside that authorized envelope. Until frameworks add 'AI-API egress baseline + content inspection + bearer-token-to-process attribution' controls, anomaly-detection audit opinions provide zero signal about AI-as-C2 exposure. Companion gap: secrets-management controls (IA-5, A.8.5) focus on repository-committed keys and ignore the dotfile credential surface where most developer keys actually live. Lag = ~190 days behind the SesameOp pattern's first documentation; no framework body has issued draft language as of 2026-05-11.",
|
|
202
280
|
"skill_chain": [
|
|
203
|
-
{
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
281
|
+
{
|
|
282
|
+
"skill": "ai-c2-detection",
|
|
283
|
+
"purpose": "Inventory installed AI SDKs (anthropic, openai, google-generativeai, azure-ai), enumerate processes communicating with AI-API endpoints, baseline behavior, detect SesameOp / PROMPTFLUX behavioral signatures.",
|
|
284
|
+
"required": true
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"skill": "framework-gap-analysis",
|
|
288
|
+
"purpose": "Map each detected exposure to the specific framework control that should have caught it and why it didn't.",
|
|
289
|
+
"required": true
|
|
290
|
+
},
|
|
291
|
+
{
|
|
292
|
+
"skill": "compliance-theater",
|
|
293
|
+
"purpose": "Run the four theater tests in govern.theater_fingerprints; emit verdict.",
|
|
294
|
+
"required": true
|
|
295
|
+
},
|
|
296
|
+
{
|
|
297
|
+
"skill": "global-grc",
|
|
298
|
+
"purpose": "Cross-walk findings to per-jurisdiction notification obligations including GDPR Art.33 (personal data exfil), EU AI Act Art.73 (serious incident), NIS2 Art.23, DORA Art.19.",
|
|
299
|
+
"skip_if": "jurisdiction_obligations.length == 0",
|
|
300
|
+
"required": false
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"skill": "policy-exception-gen",
|
|
304
|
+
"purpose": "If AI-API egress cannot be gated within compliance window, generate defensible exception with compensating controls.",
|
|
305
|
+
"skip_if": "close.exception_generation.trigger_condition == false",
|
|
306
|
+
"required": false
|
|
307
|
+
}
|
|
208
308
|
],
|
|
209
309
|
"token_budget": {
|
|
210
310
|
"estimated_total": 22000,
|
|
@@ -219,7 +319,6 @@
|
|
|
219
319
|
}
|
|
220
320
|
}
|
|
221
321
|
},
|
|
222
|
-
|
|
223
322
|
"look": {
|
|
224
323
|
"artifacts": [
|
|
225
324
|
{
|
|
@@ -337,14 +436,33 @@
|
|
|
337
436
|
}
|
|
338
437
|
],
|
|
339
438
|
"fallback_if_unavailable": [
|
|
340
|
-
{
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
|
|
344
|
-
|
|
439
|
+
{
|
|
440
|
+
"artifact_id": "ai-api-egress-baseline",
|
|
441
|
+
"fallback_action": "use_compensating_artifact",
|
|
442
|
+
"confidence_impact": "medium"
|
|
443
|
+
},
|
|
444
|
+
{
|
|
445
|
+
"artifact_id": "egress-policy",
|
|
446
|
+
"fallback_action": "mark_inconclusive",
|
|
447
|
+
"confidence_impact": "medium"
|
|
448
|
+
},
|
|
449
|
+
{
|
|
450
|
+
"artifact_id": "ai-sdk-inventory",
|
|
451
|
+
"fallback_action": "use_compensating_artifact",
|
|
452
|
+
"confidence_impact": "low"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"artifact_id": "dotfile-api-keys",
|
|
456
|
+
"fallback_action": "escalate_to_human",
|
|
457
|
+
"confidence_impact": "high"
|
|
458
|
+
},
|
|
459
|
+
{
|
|
460
|
+
"artifact_id": "aws-credentials",
|
|
461
|
+
"fallback_action": "escalate_to_human",
|
|
462
|
+
"confidence_impact": "high"
|
|
463
|
+
}
|
|
345
464
|
]
|
|
346
465
|
},
|
|
347
|
-
|
|
348
466
|
"detect": {
|
|
349
467
|
"indicators": [
|
|
350
468
|
{
|
|
@@ -447,25 +565,79 @@
|
|
|
447
565
|
"not_detected": "No cleartext API keys in any inventoried dotfile AND no AI-API egress from unexpected processes AND no anomalous volume / beaconing. Document as not-detected with a 'new dotfile credential or new unexpected process re-opens this' caveat."
|
|
448
566
|
}
|
|
449
567
|
},
|
|
450
|
-
|
|
451
568
|
"analyze": {
|
|
452
569
|
"rwep_inputs": [
|
|
453
|
-
{
|
|
454
|
-
|
|
455
|
-
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
|
|
459
|
-
{
|
|
570
|
+
{
|
|
571
|
+
"signal_id": "cleartext-api-key-in-dotfile",
|
|
572
|
+
"rwep_factor": "blast_radius",
|
|
573
|
+
"weight": 20,
|
|
574
|
+
"notes": "Each cleartext key is a separate exfil vector; tally to blast radius."
|
|
575
|
+
},
|
|
576
|
+
{
|
|
577
|
+
"signal_id": "long-lived-aws-keys",
|
|
578
|
+
"rwep_factor": "blast_radius",
|
|
579
|
+
"weight": 25,
|
|
580
|
+
"notes": "Long-lived AWS keys = cloud-account compromise on extraction."
|
|
581
|
+
},
|
|
582
|
+
{
|
|
583
|
+
"signal_id": "gcp-service-account-json",
|
|
584
|
+
"rwep_factor": "blast_radius",
|
|
585
|
+
"weight": 25,
|
|
586
|
+
"notes": "GCP service-account JSON = GCP account compromise on extraction."
|
|
587
|
+
},
|
|
588
|
+
{
|
|
589
|
+
"signal_id": "kubeconfig-with-static-token",
|
|
590
|
+
"rwep_factor": "blast_radius",
|
|
591
|
+
"weight": 20,
|
|
592
|
+
"notes": "Static kube token = cluster control on extraction."
|
|
593
|
+
},
|
|
594
|
+
{
|
|
595
|
+
"signal_id": "ai-api-egress-from-unexpected-process",
|
|
596
|
+
"rwep_factor": "active_exploitation",
|
|
597
|
+
"weight": 25,
|
|
598
|
+
"notes": "Direct match for SesameOp / PROMPTFLUX TTPs; active exploitation documented."
|
|
599
|
+
},
|
|
600
|
+
{
|
|
601
|
+
"signal_id": "ai-api-beaconing-cadence",
|
|
602
|
+
"rwep_factor": "ai_weaponization",
|
|
603
|
+
"weight": 10,
|
|
604
|
+
"notes": "AI-API C2 is, by definition, AI-assisted attack infrastructure."
|
|
605
|
+
},
|
|
606
|
+
{
|
|
607
|
+
"signal_id": "base64-or-encoded-payload-in-prompts",
|
|
608
|
+
"rwep_factor": "active_exploitation",
|
|
609
|
+
"weight": 20,
|
|
610
|
+
"notes": "Content-level SesameOp signature; high confidence active exploitation."
|
|
611
|
+
}
|
|
460
612
|
],
|
|
461
613
|
"blast_radius_model": {
|
|
462
614
|
"scope_question": "If an attacker harvests this host's dotfile credentials AND uses AI-API egress as C2, what scope of compromise does this host realistically deliver?",
|
|
463
615
|
"scoring_rubric": [
|
|
464
|
-
{
|
|
465
|
-
|
|
466
|
-
|
|
467
|
-
|
|
468
|
-
|
|
616
|
+
{
|
|
617
|
+
"condition": "host has only AI API keys (no cloud / no kube), interactive-developer use only",
|
|
618
|
+
"blast_radius_score": 1,
|
|
619
|
+
"description": "AI service abuse + token-cost burn. Vendor abuse-team detection plausible."
|
|
620
|
+
},
|
|
621
|
+
{
|
|
622
|
+
"condition": "host has AI API keys + personal git tokens, no production access",
|
|
623
|
+
"blast_radius_score": 2,
|
|
624
|
+
"description": "Source-code theft via git tokens; commit-rewrite vector."
|
|
625
|
+
},
|
|
626
|
+
{
|
|
627
|
+
"condition": "host has AI API keys + non-prod AWS/GCP/kube credentials",
|
|
628
|
+
"blast_radius_score": 3,
|
|
629
|
+
"description": "Non-prod cloud read + IAM enumeration; staging data exfil."
|
|
630
|
+
},
|
|
631
|
+
{
|
|
632
|
+
"condition": "host has AI API keys + production cloud / kube admin credentials OR signing keys",
|
|
633
|
+
"blast_radius_score": 4,
|
|
634
|
+
"description": "Production tenancy + supply-chain-publishing capability + AI-API C2 covert channel."
|
|
635
|
+
},
|
|
636
|
+
{
|
|
637
|
+
"condition": "host has AI API keys + cross-account / cross-tenant administrative roles OR CI/CD bootstrap rights",
|
|
638
|
+
"blast_radius_score": 5,
|
|
639
|
+
"description": "Org-wide pivot. AI-API channel makes the lateral movement covert at the network layer."
|
|
640
|
+
}
|
|
469
641
|
]
|
|
470
642
|
},
|
|
471
643
|
"compliance_theater_check": {
|
|
@@ -526,63 +698,116 @@
|
|
|
526
698
|
}
|
|
527
699
|
],
|
|
528
700
|
"escalation_criteria": [
|
|
529
|
-
{
|
|
530
|
-
|
|
531
|
-
|
|
532
|
-
|
|
533
|
-
{
|
|
534
|
-
|
|
701
|
+
{
|
|
702
|
+
"condition": "rwep >= 75 AND ai-api-egress-from-unexpected-process == true",
|
|
703
|
+
"action": "page_on_call"
|
|
704
|
+
},
|
|
705
|
+
{
|
|
706
|
+
"condition": "any credential indicator deterministic AND blast_radius_score >= 4",
|
|
707
|
+
"action": "page_on_call"
|
|
708
|
+
},
|
|
709
|
+
{
|
|
710
|
+
"condition": "ai-api-beaconing-cadence == true AND base64-or-encoded-payload-in-prompts == true",
|
|
711
|
+
"action": "raise_severity"
|
|
712
|
+
},
|
|
713
|
+
{
|
|
714
|
+
"condition": "blast_radius_score >= 4",
|
|
715
|
+
"action": "trigger_playbook",
|
|
716
|
+
"target_playbook": "sbom"
|
|
717
|
+
},
|
|
718
|
+
{
|
|
719
|
+
"condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
|
|
720
|
+
"action": "notify_legal"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"condition": "personal_data_exfil_suspected == true",
|
|
724
|
+
"action": "notify_legal"
|
|
725
|
+
}
|
|
535
726
|
]
|
|
536
727
|
},
|
|
537
|
-
|
|
538
728
|
"validate": {
|
|
539
729
|
"remediation_paths": [
|
|
540
730
|
{
|
|
541
731
|
"id": "rotate-exposed-credentials-now",
|
|
542
732
|
"description": "Immediately rotate every API key and cloud credential found in dotfile inventory. Revoke at vendor side; verify revocation effective.",
|
|
543
|
-
"preconditions": [
|
|
733
|
+
"preconditions": [
|
|
734
|
+
"operator_authorized_for_key_rotation == true"
|
|
735
|
+
],
|
|
544
736
|
"priority": 1,
|
|
545
|
-
"compensating_controls": [
|
|
737
|
+
"compensating_controls": [
|
|
738
|
+
"service_disruption_window_acknowledged",
|
|
739
|
+
"rotation_audit_trail"
|
|
740
|
+
],
|
|
546
741
|
"estimated_time_hours": 2
|
|
547
742
|
},
|
|
548
743
|
{
|
|
549
744
|
"id": "isolate-and-investigate-c2",
|
|
550
745
|
"description": "If AI-API C2 indicators fired: isolate the host from network (preserving forensic state), capture process tree + memory if possible, dump current AI-API session content via local proxy.",
|
|
551
|
-
"preconditions": [
|
|
746
|
+
"preconditions": [
|
|
747
|
+
"ai_api_c2_signal == true",
|
|
748
|
+
"incident_response_authorized == true"
|
|
749
|
+
],
|
|
552
750
|
"priority": 1,
|
|
553
|
-
"compensating_controls": [
|
|
751
|
+
"compensating_controls": [
|
|
752
|
+
"forensic_preservation",
|
|
753
|
+
"vendor_abuse_team_notification"
|
|
754
|
+
],
|
|
554
755
|
"estimated_time_hours": 4
|
|
555
756
|
},
|
|
556
757
|
{
|
|
557
758
|
"id": "migrate-to-credential-broker",
|
|
558
759
|
"description": "Replace dotfile cleartext keys with OS keychain (macOS Keychain / Linux Secret Service / Windows DPAPI) or vendor-issued short-lived credential (AWS SSO, GCP gcloud auth login + workload identity, kube exec-credential).",
|
|
559
|
-
"preconditions": [
|
|
760
|
+
"preconditions": [
|
|
761
|
+
"broker_available_for_each_credential_class == true"
|
|
762
|
+
],
|
|
560
763
|
"priority": 2,
|
|
561
|
-
"compensating_controls": [
|
|
764
|
+
"compensating_controls": [
|
|
765
|
+
"legacy_dotfile_still_present_until_keychain_validated",
|
|
766
|
+
"developer_workflow_regression_test"
|
|
767
|
+
],
|
|
562
768
|
"estimated_time_hours": 6
|
|
563
769
|
},
|
|
564
770
|
{
|
|
565
771
|
"id": "deploy-egress-proxy-with-attribution",
|
|
566
772
|
"description": "Route all AI-API egress through a per-process-attributed proxy that logs (a) initiating process, (b) bearer token used, (c) request/response size + cadence + content-shape metrics. Build a per-service-account baseline and alert on deviation.",
|
|
567
|
-
"preconditions": [
|
|
773
|
+
"preconditions": [
|
|
774
|
+
"proxy_infrastructure_authorizable == true",
|
|
775
|
+
"tls_termination_acceptable_per_policy == true"
|
|
776
|
+
],
|
|
568
777
|
"priority": 3,
|
|
569
|
-
"compensating_controls": [
|
|
778
|
+
"compensating_controls": [
|
|
779
|
+
"proxy_failure_mode_defined",
|
|
780
|
+
"developer_traffic_baseline_collection"
|
|
781
|
+
],
|
|
570
782
|
"estimated_time_hours": 16
|
|
571
783
|
},
|
|
572
784
|
{
|
|
573
785
|
"id": "enforce-allowlisted-ai-clients",
|
|
574
786
|
"description": "Enforce a per-host allowlist of processes permitted to speak to AI-API endpoints (binary paths, signatures). Block all other processes from reaching AI-vendor domains.",
|
|
575
|
-
"preconditions": [
|
|
787
|
+
"preconditions": [
|
|
788
|
+
"host-level_firewall_or_endpoint_egress_control_available == true"
|
|
789
|
+
],
|
|
576
790
|
"priority": 4,
|
|
577
|
-
"compensating_controls": [
|
|
791
|
+
"compensating_controls": [
|
|
792
|
+
"allowlist_change_management",
|
|
793
|
+
"monitoring_for_blocked_attempts"
|
|
794
|
+
],
|
|
578
795
|
"estimated_time_hours": 4
|
|
579
796
|
},
|
|
580
797
|
{
|
|
581
798
|
"id": "policy-exception",
|
|
582
799
|
"description": "Where business-critical interactive use makes egress proxying or process allowlisting infeasible, generate a defensible policy exception with compensating controls (rate quota per service account, vendor-side abuse alerting integration, weekly dotfile re-audit).",
|
|
583
|
-
"preconditions": [
|
|
800
|
+
"preconditions": [
|
|
801
|
+
"remediation_paths[1..5] partially or fully blocked",
|
|
802
|
+
"ciso_acceptance_obtainable == true"
|
|
803
|
+
],
|
|
584
804
|
"priority": 5,
|
|
585
|
-
"compensating_controls": [
|
|
805
|
+
"compensating_controls": [
|
|
806
|
+
"per_token_rate_quota_at_vendor",
|
|
807
|
+
"vendor_abuse_alerting_integration",
|
|
808
|
+
"weekly_dotfile_re-audit",
|
|
809
|
+
"endpoint_egress_anomaly_baseline_with_alerting"
|
|
810
|
+
],
|
|
586
811
|
"estimated_time_hours": 8
|
|
587
812
|
}
|
|
588
813
|
],
|
|
@@ -628,46 +853,89 @@
|
|
|
628
853
|
"risk": "AI-API C2 attack surface remains because the legitimate channel cannot be closed. Detection is the residual layer. Behavioral baselines drift; attackers adapt encoding shape; new AI vendors enter the egress allowlist. Credential exposure recurs whenever a developer onboards a new tool that wants a cleartext key.",
|
|
629
854
|
"why_remains": "AI APIs are infrastructure-of-record for AI-assisted development. The org cannot block them. Detection requires sustained baselining and per-process attribution; both degrade without active maintenance.",
|
|
630
855
|
"acceptance_level": "ciso",
|
|
631
|
-
"compensating_controls_in_place": [
|
|
856
|
+
"compensating_controls_in_place": [
|
|
857
|
+
"dotfile_credential_periodic_re-audit",
|
|
858
|
+
"ai_api_egress_proxy_with_per-process_attribution",
|
|
859
|
+
"ai_api_behavioral_baseline_with_alerting",
|
|
860
|
+
"vendor_abuse_team_integration",
|
|
861
|
+
"credential_broker_default_for_new_keys"
|
|
862
|
+
]
|
|
632
863
|
},
|
|
633
864
|
"evidence_requirements": [
|
|
634
865
|
{
|
|
635
866
|
"evidence_type": "scan_report",
|
|
636
867
|
"description": "Dotfile credential inventory snapshot pre- and post-remediation, showing zero cleartext keys remaining.",
|
|
637
868
|
"retention_period": "7_years",
|
|
638
|
-
"framework_satisfied": [
|
|
869
|
+
"framework_satisfied": [
|
|
870
|
+
"nist-800-53-IA-5",
|
|
871
|
+
"iso-27001-2022-A.8.30",
|
|
872
|
+
"soc2-CC6",
|
|
873
|
+
"pci-dss-4-8.3"
|
|
874
|
+
]
|
|
639
875
|
},
|
|
640
876
|
{
|
|
641
877
|
"evidence_type": "log_excerpt",
|
|
642
878
|
"description": "AI-API egress proxy logs showing per-process attribution for a sample of requests during remediation validation.",
|
|
643
879
|
"retention_period": "1_year",
|
|
644
|
-
"framework_satisfied": [
|
|
880
|
+
"framework_satisfied": [
|
|
881
|
+
"nist-800-53-SC-7",
|
|
882
|
+
"soc2-CC7",
|
|
883
|
+
"iso-27001-2022-A.8.16"
|
|
884
|
+
]
|
|
645
885
|
},
|
|
646
886
|
{
|
|
647
887
|
"evidence_type": "exploit_replay_negative",
|
|
648
888
|
"description": "Negative test results: old rotated keys rejected by vendor; unexpected-process egress blocked; synthetic beaconing pattern triggered baseline alert.",
|
|
649
889
|
"retention_period": "1_year",
|
|
650
|
-
"framework_satisfied": [
|
|
890
|
+
"framework_satisfied": [
|
|
891
|
+
"soc2-CC7",
|
|
892
|
+
"nist-800-53-SI-3",
|
|
893
|
+
"iso-27001-2022-A.8.16"
|
|
894
|
+
]
|
|
651
895
|
},
|
|
652
896
|
{
|
|
653
897
|
"evidence_type": "attestation",
|
|
654
898
|
"description": "Signed exceptd attestation file with evidence_hash, credential count at detection, credential count post-remediation, AI-API egress baseline established date, RWEP delta.",
|
|
655
899
|
"retention_period": "7_years",
|
|
656
|
-
"framework_satisfied": [
|
|
900
|
+
"framework_satisfied": [
|
|
901
|
+
"nist-800-53-CA-7",
|
|
902
|
+
"iso-27001-2022-A.5.36",
|
|
903
|
+
"nis2-art21-2d",
|
|
904
|
+
"eu-ai-act-art15"
|
|
905
|
+
]
|
|
657
906
|
}
|
|
658
907
|
],
|
|
659
908
|
"regression_trigger": [
|
|
660
|
-
{
|
|
661
|
-
|
|
662
|
-
|
|
663
|
-
|
|
909
|
+
{
|
|
910
|
+
"condition": "new_ai_vendor_added_to_allowlist",
|
|
911
|
+
"interval": "on_event"
|
|
912
|
+
},
|
|
913
|
+
{
|
|
914
|
+
"condition": "new_cve_in_class == true",
|
|
915
|
+
"interval": "on_event"
|
|
916
|
+
},
|
|
917
|
+
{
|
|
918
|
+
"condition": "new_developer_endpoint_provisioned",
|
|
919
|
+
"interval": "on_event"
|
|
920
|
+
},
|
|
921
|
+
{
|
|
922
|
+
"condition": "monthly",
|
|
923
|
+
"interval": "30d"
|
|
924
|
+
}
|
|
664
925
|
]
|
|
665
926
|
},
|
|
666
|
-
|
|
667
927
|
"close": {
|
|
668
928
|
"evidence_package": {
|
|
669
929
|
"bundle_format": "csaf-2.0",
|
|
670
|
-
"contents": [
|
|
930
|
+
"contents": [
|
|
931
|
+
"scan_report",
|
|
932
|
+
"log_excerpt",
|
|
933
|
+
"exploit_replay_negative",
|
|
934
|
+
"attestation",
|
|
935
|
+
"framework_gap_mapping",
|
|
936
|
+
"compliance_theater_verdict",
|
|
937
|
+
"residual_risk_statement"
|
|
938
|
+
],
|
|
671
939
|
"destination": "local_only",
|
|
672
940
|
"signed": true
|
|
673
941
|
},
|
|
@@ -679,49 +947,79 @@
|
|
|
679
947
|
"framework_gap": "NIST 800-53 SI-3/SC-7/AC-2/IA-5, ISO 27001:2022 A.8.16, SOC 2 CC6/CC7, EU AI Act Art.15 all permit clean audits over a fully-exposed AI-API C2 + dotfile credential surface. Lag = ~190 days behind SesameOp's first documentation; no framework body has issued draft language as of 2026-05-11.",
|
|
680
948
|
"new_control_requirement": "Add an AI-API governance control class spanning: (a) per-process attribution of AI-API egress via dedicated proxy, (b) bearer-token-to-process binding, (c) AI-API behavioral baseline (rate, cadence, content-shape) with alerting, (d) credential-broker mandate for any long-lived API/cloud key on a developer endpoint, (e) provider-side telemetry sharing obligation for AI vendors (rate per key, content statistics) to enable customer-side detection."
|
|
681
949
|
},
|
|
682
|
-
"feeds_back_to_skills": [
|
|
950
|
+
"feeds_back_to_skills": [
|
|
951
|
+
"ai-c2-detection",
|
|
952
|
+
"framework-gap-analysis",
|
|
953
|
+
"compliance-theater",
|
|
954
|
+
"global-grc",
|
|
955
|
+
"zeroday-gap-learn"
|
|
956
|
+
]
|
|
683
957
|
},
|
|
684
958
|
"notification_actions": [
|
|
685
959
|
{
|
|
686
960
|
"obligation_ref": "EU/NIS2 Art.23 24h",
|
|
687
961
|
"deadline": "computed_at_runtime",
|
|
688
962
|
"recipient": "internal_legal",
|
|
689
|
-
"evidence_attached": [
|
|
963
|
+
"evidence_attached": [
|
|
964
|
+
"affected_host_inventory",
|
|
965
|
+
"ai_api_endpoint_beaconing_evidence",
|
|
966
|
+
"credential_exposure_scope",
|
|
967
|
+
"interim_isolation_record"
|
|
968
|
+
],
|
|
690
969
|
"draft_notification": "Initial NIS2 Art.23 24-hour early-warning notification: AI-API C2 + credential exposure detected on ${affected_host_count} host(s). Behavioral indicators: ${behavioral_indicators}. Credential exposure: ${cred_summary}. Interim isolation: ${interim_isolation_status}. Full incident assessment to follow within 72 hours per Art.23(4)."
|
|
691
970
|
},
|
|
692
971
|
{
|
|
693
972
|
"obligation_ref": "EU/NIS2 Art.23 72h",
|
|
694
973
|
"deadline": "computed_at_runtime",
|
|
695
974
|
"recipient": "regulator_email",
|
|
696
|
-
"evidence_attached": [
|
|
975
|
+
"evidence_attached": [
|
|
976
|
+
"full_incident_assessment",
|
|
977
|
+
"credential_rotation_record",
|
|
978
|
+
"remediation_plan"
|
|
979
|
+
],
|
|
697
980
|
"draft_notification": "NIS2 Art.23 incident notification (72-hour): Full assessment of AI-API C2 / credential-exposure incident. Affected systems: ${affected_systems}. Credentials rotated: ${rotated_count}. Remediation plan: dotfile credential migration to broker, AI-API egress proxy deployment, behavioral baseline establishment. ETA: ${remediation_eta}."
|
|
698
981
|
},
|
|
699
982
|
{
|
|
700
983
|
"obligation_ref": "EU/DORA Art.19 4h",
|
|
701
984
|
"deadline": "computed_at_runtime",
|
|
702
985
|
"recipient": "internal_legal",
|
|
703
|
-
"evidence_attached": [
|
|
986
|
+
"evidence_attached": [
|
|
987
|
+
"initial_notification",
|
|
988
|
+
"ict_third_party_dependencies",
|
|
989
|
+
"financial_data_exposure_scope"
|
|
990
|
+
],
|
|
704
991
|
"draft_notification": "DORA Art.19 initial notification: Major ICT-related incident — AI-API C2 / credential exposure on ${affected_host_count} host(s) within financial-entity scope. AI vendor ICT dependencies: ${ict_dependencies}. Financial-data exposure scope: ${financial_data_scope}. Full classification + impact assessment to follow within statutory windows."
|
|
705
992
|
},
|
|
706
993
|
{
|
|
707
994
|
"obligation_ref": "EU/EU AI Act Art.73 360h",
|
|
708
995
|
"deadline": "computed_at_runtime",
|
|
709
996
|
"recipient": "regulator_email",
|
|
710
|
-
"evidence_attached": [
|
|
997
|
+
"evidence_attached": [
|
|
998
|
+
"serious_incident_assessment",
|
|
999
|
+
"ai_system_misuse_evidence",
|
|
1000
|
+
"tool_provenance_audit"
|
|
1001
|
+
],
|
|
711
1002
|
"draft_notification": "EU AI Act Art.73 serious-incident notification: AI API misused as covert C2 channel against ${affected_ai_system}. Provider: ${ai_provider}. Evidence of misuse: ${behavioral_evidence}. Tool provenance audit: ${tool_provenance_summary}."
|
|
712
1003
|
},
|
|
713
1004
|
{
|
|
714
1005
|
"obligation_ref": "EU/GDPR Art.33 72h",
|
|
715
1006
|
"deadline": "computed_at_runtime",
|
|
716
1007
|
"recipient": "internal_legal",
|
|
717
|
-
"evidence_attached": [
|
|
1008
|
+
"evidence_attached": [
|
|
1009
|
+
"personal_data_scope_assessment",
|
|
1010
|
+
"high_risk_to_data_subjects_determination",
|
|
1011
|
+
"containment_measures"
|
|
1012
|
+
],
|
|
718
1013
|
"draft_notification": "GDPR Art.33 supervisory authority notification: Personal data breach via AI-API C2 channel and/or credential exfil. Affected data categories: ${data_categories}. Approximate number of data subjects affected: ${affected_count}. High-risk determination per Art.34: ${high_risk_determination}. Containment measures: ${containment_summary}."
|
|
719
1014
|
},
|
|
720
1015
|
{
|
|
721
1016
|
"obligation_ref": "AU/APRA CPS 234 72h",
|
|
722
1017
|
"deadline": "computed_at_runtime",
|
|
723
1018
|
"recipient": "regulator_email",
|
|
724
|
-
"evidence_attached": [
|
|
1019
|
+
"evidence_attached": [
|
|
1020
|
+
"materiality_assessment",
|
|
1021
|
+
"remediation_completed_evidence"
|
|
1022
|
+
],
|
|
725
1023
|
"draft_notification": "APRA CPS 234 notification: Material information security incident — AI-API C2 / credential exposure on ${affected_host_count} host(s). Materiality: ${materiality_justification}. Remediation summary: ${remediation_summary}."
|
|
726
1024
|
}
|
|
727
1025
|
],
|
|
@@ -730,7 +1028,14 @@
|
|
|
730
1028
|
"exception_template": {
|
|
731
1029
|
"scope": "AI-API egress for asset(s) ${asset_list} cannot be routed through a per-process-attributed proxy in this remediation cycle, OR dotfile credential migration is blocked by vendor SDK constraints. Remediation paths 3-5 partially blocked.",
|
|
732
1030
|
"duration": "30d",
|
|
733
|
-
"compensating_controls": [
|
|
1031
|
+
"compensating_controls": [
|
|
1032
|
+
"per_token_rate_quota_enforced_at_vendor_side",
|
|
1033
|
+
"vendor_abuse_alerting_subscription",
|
|
1034
|
+
"weekly_dotfile_credential_re-audit_with_diff_alerting",
|
|
1035
|
+
"endpoint_egress_anomaly_baseline_with_per-host_alerting",
|
|
1036
|
+
"ai_api_destination_dns_logging_with_cadence_analysis",
|
|
1037
|
+
"isolation_capability_pre-tested_with_runbook"
|
|
1038
|
+
],
|
|
734
1039
|
"risk_acceptance_owner": "ciso",
|
|
735
1040
|
"auditor_ready_language": "Pursuant to ${framework_id} ${control_id} (System Operations / Anomaly Detection / Boundary Protection / Authenticator Management), the organization documents a time-bound risk acceptance for AI-API egress on asset(s) ${asset_list} that cannot be brought under per-process-attributed proxy control within the current remediation cycle. The accepted threat class is AI-as-C2 (SesameOp pattern / ATLAS AML.T0096) and dotfile credential exfiltration. The organization accepts that current framework controls (NIST 800-53 SI-3/SC-7/AC-2/IA-5, ISO 27001:2022 A.8.16, SOC 2 CC6/CC7, EU AI Act Art.15) treat AI-vendor endpoints as authorized SaaS and AI service accounts as legitimately authorized identities, that this structural blind spot is documented in ${exceptd_framework_gap_mapping_ref}, and that the organization's compensating controls during the exception window are: ${compensating_controls}. Detection coverage: AI-API destination DNS logging with cadence analysis, endpoint egress anomaly baseline, weekly dotfile re-audit. Risk accepted by ${ciso_name} on ${acceptance_date}. Time-bound until ${duration_expiry} (proxy infrastructure ready, vendor SDK supports brokered credentials, OR ${default_30d_expiry}, whichever is first). Re-evaluation triggers: new SesameOp variant published, new AI vendor added to scope, dotfile credential count above zero in weekly audit, OR scheduled expiry."
|
|
736
1041
|
}
|
|
@@ -742,22 +1047,27 @@
|
|
|
742
1047
|
}
|
|
743
1048
|
}
|
|
744
1049
|
},
|
|
745
|
-
|
|
746
1050
|
"directives": [
|
|
747
1051
|
{
|
|
748
1052
|
"id": "all-ai-api-and-credential-exposure",
|
|
749
1053
|
"title": "Full AI-API C2 + dotfile credential exposure audit",
|
|
750
|
-
"applies_to": {
|
|
1054
|
+
"applies_to": {
|
|
1055
|
+
"always": true
|
|
1056
|
+
}
|
|
751
1057
|
},
|
|
752
1058
|
{
|
|
753
1059
|
"id": "sesameop-aml-t0096",
|
|
754
1060
|
"title": "ATLAS AML.T0096 — AI as C2 (SesameOp / PROMPTFLUX / PROMPTSTEAL)",
|
|
755
|
-
"applies_to": {
|
|
1061
|
+
"applies_to": {
|
|
1062
|
+
"atlas_ttp": "AML.T0096"
|
|
1063
|
+
}
|
|
756
1064
|
},
|
|
757
1065
|
{
|
|
758
1066
|
"id": "t1552-001-credentials-in-files",
|
|
759
1067
|
"title": "T1552.001 — Unsecured Credentials: Credentials in Files",
|
|
760
|
-
"applies_to": {
|
|
1068
|
+
"applies_to": {
|
|
1069
|
+
"attack_technique": "T1552.001"
|
|
1070
|
+
}
|
|
761
1071
|
}
|
|
762
1072
|
]
|
|
763
1073
|
}
|