@blamejs/exceptd-skills 0.12.13 → 0.12.15

package/data/atlas-ttps.json

@@ -19,36 +19,6 @@
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     }
   },
-  "AML.T0043": {
-    "id": "AML.T0043",
-    "name": "Craft Adversarial Data",
-    "tactic": "ML Attack Staging",
-    "description": "Adversary crafts input data designed to cause a target ML model to produce incorrect outputs. Includes perturbation-based adversarial examples that are visually identical to originals but trigger misclassification.",
-    "subtechniques": [
-      "AML.T0043.000 — White-Box Attack (adversary has model access)",
-      "AML.T0043.001 — Black-Box Attack (transfer-based, query-based)",
-      "AML.T0043.002 — Physical Attack (adversarial patch, stop sign perturbation)"
-    ],
-    "real_world_instances": [
-      "Deepfake bypass of facial recognition",
-      "Adversarial audio bypassing voice authentication"
-    ],
-    "framework_gap": true,
-    "framework_gap_detail": "No control in NIST 800-53, ISO 27001, SOC 2, or PCI requires adversarial robustness testing for ML models. SI-3 (malicious code protection) does not contemplate adversarial inputs.",
-    "controls_that_partially_help": [
-      "NIST-800-53-SI-3",
-      "NIST-AI-RMF-MEASURE-2.5"
-    ],
-    "controls_that_dont_help": [
-      "NIST-800-53-AC-2",
-      "ISO-27001-2022-A.8.28"
-    ],
-    "detection": "Model output confidence monitoring; behavioral anomaly on repeated low-confidence outputs from same source",
-    "exceptd_skills": [
-      "ai-attack-surface",
-      "rag-pipeline-security"
-    ]
-  },
   "AML.T0010": {
     "id": "AML.T0010",
     "name": "ML Supply Chain Compromise",
@@ -77,7 +47,8 @@
     "exceptd_skills": [
       "mcp-agent-trust",
       "ai-attack-surface"
-    ]
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0016": {
     "id": "AML.T0016",
@@ -103,7 +74,8 @@
       "ai-attack-surface",
       "ai-c2-detection",
       "mcp-agent-trust"
-    ]
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0017": {
     "id": "AML.T0017",
@@ -131,7 +103,8 @@
     "exceptd_skills": [
       "ai-c2-detection",
       "ai-attack-surface"
-    ]
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0018": {
     "id": "AML.T0018",
@@ -160,7 +133,8 @@
       "ai-attack-surface",
       "rag-pipeline-security",
       "skill-update-loop"
-    ]
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0020": {
     "id": "AML.T0020",
@@ -188,96 +162,8 @@
     "exceptd_skills": [
       "rag-pipeline-security",
       "ai-attack-surface"
-    ]
-  },
-  "AML.T0051": {
-    "id": "AML.T0051",
-    "name": "LLM Prompt Injection",
-    "tactic": "Execution",
-    "description": "Adversary injects instructions into an LLM's input that override, supplement, or contradict the original system prompt, causing the model to execute attacker-controlled instructions within the application's authorization context.",
-    "subtechniques": [
-      "AML.T0051.000 — Direct Prompt Injection (user-facing input)",
-      "AML.T0051.001 — Indirect Prompt Injection (injected via retrieved content, documents, web pages)",
-      "AML.T0051.002 — Jailbreak (override safety guardrails)"
-    ],
-    "real_world_instances": [
-      "CVE-2025-53773 — GitHub Copilot prompt injection RCE via PR description",
-      "Multiple production AI assistant prompt injection incidents 2025-2026"
-    ],
-    "framework_gap": true,
-    "framework_gap_detail": "No framework has a control for prompt injection as an access control failure vector. The attack uses the AI service account's authorized permissions — from AC-2's perspective, the access is authorized. MITRE ATLAS v5.1.0 documents the technique; no framework has implemented controls. OWASP LLM Top 10 documents the class; it is not incorporated in any compliance framework.",
-    "controls_that_partially_help": [
-      "NIST-800-53-AC-2",
-      "ISO-27001-2022-A.8.28"
-    ],
-    "controls_that_dont_help": [
-      "NIST-800-53-SI-3",
-      "SOC2-CC6"
-    ],
-    "detection": "AI action audit trail — log every tool call with triggering prompt content; alert on AI actions that diverge from user-stated intent; adversarial instruction classifier on external content before model ingestion",
-    "exceptd_skills": [
-      "ai-attack-surface",
-      "mcp-agent-trust",
-      "rag-pipeline-security"
-    ]
-  },
-  "AML.T0054": {
-    "id": "AML.T0054",
-    "name": "LLM Jailbreak",
-    "tactic": "Defense Evasion",
-    "description": "Adversary uses prompt manipulation techniques to bypass an LLM's safety guardrails, causing the model to produce content or take actions it would normally refuse. Distinguished from prompt injection by the goal: jailbreaks evade safety filters rather than execute injected code.",
-    "subtechniques": [
-      "AML.T0054.000 — Role-play Jailbreak (DAN, persona attacks)",
-      "AML.T0054.001 — Obfuscation (base64, leetspeak, encoding tricks)",
-      "AML.T0054.002 — Many-Shot Jailbreak (long context pattern establishment)"
     ],
-    "real_world_instances": [
-      "Production AI assistant jailbreaks enabling policy bypass; AI coding assistant jailbreaks producing malware code"
-    ],
-    "framework_gap": true,
-    "framework_gap_detail": "No framework requires safety guardrail testing for production AI systems. Red teaming for LLM jailbreaks is not a compliance requirement in any major framework. NIST AI RMF recommends but does not require adversarial testing. ISO 42001 (AI management) is not yet widely adopted.",
-    "controls_that_partially_help": [
-      "NIST-AI-RMF-GOVERN-1.7"
-    ],
-    "controls_that_dont_help": [
-      "NIST-800-53-SI-3",
-      "ISO-27001-2022-A.8.28"
-    ],
-    "detection": "Content policy violation logging; output safety scoring; alert on repeated refusal-bypass attempts from same user",
-    "exceptd_skills": [
-      "ai-attack-surface",
-      "mcp-agent-trust"
-    ]
-  },
-  "AML.T0096": {
-    "id": "AML.T0096",
-    "name": "AI API as Covert C2 Channel",
-    "tactic": "Command and Control",
-    "description": "Adversary uses legitimate AI API calls as a covert command-and-control channel. Malware encodes commands in AI API requests and receives instructions via model responses. Traffic is indistinguishable from legitimate AI usage — same endpoints, same TLS, same bearer auth patterns.",
-    "subtechniques": [
-      "AML.T0096.000 — Steganographic encoding in AI prompts",
-      "AML.T0096.001 — LLM response as instruction decoder",
-      "AML.T0096.002 — Multi-agent covert relay"
-    ],
-    "real_world_instances": [
-      "SesameOp — first documented AI API C2 campaign, 2025. Malware beacons to OpenAI API for encoded instructions.",
-      "PROMPTFLUX — LLM C2 for real-time evasion code generation: malware queries public LLM APIs for novel AV evasion code on each execution."
-    ],
-    "framework_gap": true,
-    "framework_gap_detail": "Network egress controls (SC-7) do not flag AI API traffic — it is categorically allowed in most organizations. No framework requires monitoring of AI API traffic content. SIEM signatures for AI API C2 patterns do not exist in any standard detection ruleset. SI-3 (malware protection) does not contemplate LLM-querying malware. No framework has a control for AI API query anomaly detection by process identity.",
-    "controls_that_partially_help": [
-      "NIST-800-53-SI-4",
-      "NIST-800-53-SC-7"
-    ],
-    "controls_that_dont_help": [
-      "NIST-800-53-SI-3",
-      "ISO-27001-2022-A.8.16"
-    ],
-    "detection": "Process-level AI API query monitoring; alert on AI API calls from unexpected process identities; query volume anomaly; payload entropy analysis for steganographic encoding",
-    "exceptd_skills": [
-      "ai-c2-detection",
-      "ai-attack-surface"
-    ]
+    "last_verified": "2026-05-13"
   },
   "AML.T0024": {
     "id": "AML.T0024",
@@ -309,7 +195,39 @@
       "dlp-gap-analysis",
       "rag-pipeline-security",
       "ai-attack-surface"
-    ]
+    ],
+    "last_verified": "2026-05-13"
+  },
+  "AML.T0043": {
+    "id": "AML.T0043",
+    "name": "Craft Adversarial Data",
+    "tactic": "ML Attack Staging",
+    "description": "Adversary crafts input data designed to cause a target ML model to produce incorrect outputs. Includes perturbation-based adversarial examples that are visually identical to originals but trigger misclassification.",
+    "subtechniques": [
+      "AML.T0043.000 — White-Box Attack (adversary has model access)",
+      "AML.T0043.001 — Black-Box Attack (transfer-based, query-based)",
+      "AML.T0043.002 — Physical Attack (adversarial patch, stop sign perturbation)"
+    ],
+    "real_world_instances": [
+      "Deepfake bypass of facial recognition",
+      "Adversarial audio bypassing voice authentication"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No control in NIST 800-53, ISO 27001, SOC 2, or PCI requires adversarial robustness testing for ML models. SI-3 (malicious code protection) does not contemplate adversarial inputs.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SI-3",
+      "NIST-AI-RMF-MEASURE-2.5"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-AC-2",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "detection": "Model output confidence monitoring; behavioral anomaly on repeated low-confidence outputs from same source",
+    "exceptd_skills": [
+      "ai-attack-surface",
+      "rag-pipeline-security"
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0044": {
     "id": "AML.T0044",
@@ -340,7 +258,8 @@
       "dlp-gap-analysis",
       "ai-attack-surface",
       "ai-risk-management"
-    ]
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0048": {
     "id": "AML.T0048",
@@ -371,7 +290,40 @@
       "ai-attack-surface",
       "rag-pipeline-security",
       "ai-risk-management"
-    ]
+    ],
+    "last_verified": "2026-05-13"
+  },
+  "AML.T0051": {
+    "id": "AML.T0051",
+    "name": "LLM Prompt Injection",
+    "tactic": "Execution",
+    "description": "Adversary injects instructions into an LLM's input that override, supplement, or contradict the original system prompt, causing the model to execute attacker-controlled instructions within the application's authorization context.",
+    "subtechniques": [
+      "AML.T0051.000 — Direct Prompt Injection (user-facing input)",
+      "AML.T0051.001 — Indirect Prompt Injection (injected via retrieved content, documents, web pages)",
+      "AML.T0051.002 — Jailbreak (override safety guardrails)"
+    ],
+    "real_world_instances": [
+      "CVE-2025-53773 — GitHub Copilot prompt injection RCE via PR description",
+      "Multiple production AI assistant prompt injection incidents 2025-2026"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework has a control for prompt injection as an access control failure vector. The attack uses the AI service account's authorized permissions — from AC-2's perspective, the access is authorized. MITRE ATLAS v5.1.0 documents the technique; no framework has implemented controls. OWASP LLM Top 10 documents the class; it is not incorporated in any compliance framework.",
+    "controls_that_partially_help": [
+      "NIST-800-53-AC-2",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3",
+      "SOC2-CC6"
+    ],
+    "detection": "AI action audit trail — log every tool call with triggering prompt content; alert on AI actions that diverge from user-stated intent; adversarial instruction classifier on external content before model ingestion",
+    "exceptd_skills": [
+      "ai-attack-surface",
+      "mcp-agent-trust",
+      "rag-pipeline-security"
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0053": {
     "id": "AML.T0053",
@@ -401,7 +353,37 @@
     "exceptd_skills": [
       "mcp-agent-trust",
       "ai-attack-surface"
-    ]
+    ],
+    "last_verified": "2026-05-13"
+  },
+  "AML.T0054": {
+    "id": "AML.T0054",
+    "name": "LLM Jailbreak",
+    "tactic": "Defense Evasion",
+    "description": "Adversary uses prompt manipulation techniques to bypass an LLM's safety guardrails, causing the model to produce content or take actions it would normally refuse. Distinguished from prompt injection by the goal: jailbreaks evade safety filters rather than execute injected code.",
+    "subtechniques": [
+      "AML.T0054.000 — Role-play Jailbreak (DAN, persona attacks)",
+      "AML.T0054.001 — Obfuscation (base64, leetspeak, encoding tricks)",
+      "AML.T0054.002 — Many-Shot Jailbreak (long context pattern establishment)"
+    ],
+    "real_world_instances": [
+      "Production AI assistant jailbreaks enabling policy bypass; AI coding assistant jailbreaks producing malware code"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework requires safety guardrail testing for production AI systems. Red teaming for LLM jailbreaks is not a compliance requirement in any major framework. NIST AI RMF recommends but does not require adversarial testing. ISO 42001 (AI management) is not yet widely adopted.",
+    "controls_that_partially_help": [
+      "NIST-AI-RMF-GOVERN-1.7"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3",
+      "ISO-27001-2022-A.8.28"
+    ],
+    "detection": "Content policy violation logging; output safety scoring; alert on repeated refusal-bypass attempts from same user",
+    "exceptd_skills": [
+      "ai-attack-surface",
+      "mcp-agent-trust"
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0055": {
     "id": "AML.T0055",
@@ -432,7 +414,8 @@
       "dlp-gap-analysis",
       "mcp-agent-trust",
       "rag-pipeline-security"
-    ]
+    ],
+    "last_verified": "2026-05-13"
   },
   "AML.T0057": {
     "id": "AML.T0057",
@@ -465,6 +448,38 @@
       "rag-pipeline-security",
       "ai-attack-surface",
       "dlp-gap-analysis"
-    ]
+    ],
+    "last_verified": "2026-05-13"
+  },
+  "AML.T0096": {
+    "id": "AML.T0096",
+    "name": "AI API as Covert C2 Channel",
+    "tactic": "Command and Control",
+    "description": "Adversary uses legitimate AI API calls as a covert command-and-control channel. Malware encodes commands in AI API requests and receives instructions via model responses. Traffic is indistinguishable from legitimate AI usage — same endpoints, same TLS, same bearer auth patterns.",
+    "subtechniques": [
+      "AML.T0096.000 — Steganographic encoding in AI prompts",
+      "AML.T0096.001 — LLM response as instruction decoder",
+      "AML.T0096.002 — Multi-agent covert relay"
+    ],
+    "real_world_instances": [
+      "SesameOp — first documented AI API C2 campaign, 2025. Malware beacons to OpenAI API for encoded instructions.",
+      "PROMPTFLUX — LLM C2 for real-time evasion code generation: malware queries public LLM APIs for novel AV evasion code on each execution."
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "Network egress controls (SC-7) do not flag AI API traffic — it is categorically allowed in most organizations. No framework requires monitoring of AI API traffic content. SIEM signatures for AI API C2 patterns do not exist in any standard detection ruleset. SI-3 (malware protection) does not contemplate LLM-querying malware. No framework has a control for AI API query anomaly detection by process identity.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SI-4",
+      "NIST-800-53-SC-7"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3",
+      "ISO-27001-2022-A.8.16"
+    ],
+    "detection": "Process-level AI API query monitoring; alert on AI API calls from unexpected process identities; query volume anomaly; payload entropy analysis for steganographic encoding",
+    "exceptd_skills": [
+      "ai-c2-detection",
+      "ai-attack-surface"
+    ],
+    "last_verified": "2026-05-13"
   }
 }