npm - @panguard-ai/atr - Versions diffs - 0.2.1 → 0.3.0 - Mend

@panguard-ai/atr 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (120) hide show

package/rules/privilege-escalation/ATR-2026-040-privilege-escalation.yaml CHANGED Viewed

@@ -1,4 +1,4 @@
-title: "Privilege Escalation and Admin Function Access"
+title: 'Privilege Escalation and Admin Function Access'
 id: ATR-2026-040
 status: experimental
 description: |
@@ -10,26 +10,26 @@ description: |
   escape techniques (nsenter, chroot), or Kubernetes privilege escalation
   (kubectl exec). This rule enforces least-privilege boundaries across all
   agent tool interactions.
-author: "Panguard AI"
-date: "2026/03/08"
-schema_version: "0.1"
+author: 'ATR Community'
+date: '2026/03/08'
+schema_version: '0.1'
 detection_tier: pattern
 maturity: experimental
 severity: critical
 references:
   owasp_llm:
-    - "LLM06:2025 - Excessive Agency"
+    - 'LLM06:2025 - Excessive Agency'
   owasp_agentic:
-    - "ASI03:2026 - Identity and Privilege Abuse"
+    - 'ASI03:2026 - Identity and Privilege Abuse'
   mitre_atlas:
-    - "AML.T0050 - Command and Scripting Interpreter"
-    - "AML.T0040 - AI Model Inference API Access"
+    - 'AML.T0050 - Command and Scripting Interpreter'
+    - 'AML.T0040 - AI Model Inference API Access'
   mitre_attack:
-    - "T1548 - Abuse Elevation Control Mechanism"
-    - "T1611 - Escape to Host"
+    - 'T1548 - Abuse Elevation Control Mechanism'
+    - 'T1611 - Escape to Host'
   cve:
-    - "CVE-2026-0628"
+    - 'CVE-2026-0628'
 tags:
   category: privilege-escalation
@@ -47,66 +47,66 @@ detection:
   conditions:
     - field: tool_name
       operator: regex
-      value: "(?i)(?:exec|execute|shell|bash|cmd|terminal|subprocess|os_command|system_call|run_command|powershell)"
-      description: "System shell or command execution tool invocation"
+      value: '(?i)(?:exec|execute|shell|bash|cmd|terminal|subprocess|os_command|system_call|run_command|powershell)'
+      description: 'System shell or command execution tool invocation'
     - field: tool_name
       operator: regex
-      value: "(?i)(?:modify_permissions?|grant_access|elevate|set_role|change_acl|chmod|chown|sudo|setuid|setgid)"
-      description: "Permission modification or privilege elevation tools"
+      value: '(?i)(?:modify_permissions?|grant_access|elevate|set_role|change_acl|chmod|chown|sudo|setuid|setgid)'
+      description: 'Permission modification or privilege elevation tools'
     - field: tool_name
       operator: regex
-      value: "(?i)(?:create_user|delete_user|modify_user|reset_password|manage_roles?|assign_role|revoke_role|add_admin)"
-      description: "User management and role assignment operations"
+      value: '(?i)(?:create_user|delete_user|modify_user|reset_password|manage_roles?|assign_role|revoke_role|add_admin)'
+      description: 'User management and role assignment operations'
     - field: tool_name
       operator: regex
-      value: "(?i)(?:drop_(?:database|table|index)|truncate_table|alter_schema|create_database|db_admin|migrate_database)"
-      description: "Database administration and schema operations"
+      value: '(?i)(?:drop_(?:database|table|index)|truncate_table|alter_schema|create_database|db_admin|migrate_database)'
+      description: 'Database administration and schema operations'
     - field: tool_name
       operator: regex
-      value: "(?i)(?:update_config|modify_settings|change_environment|set_env|deploy|restart_service|stop_service|kill_process)"
-      description: "System configuration and service management operations"
+      value: '(?i)(?:update_config|modify_settings|change_environment|set_env|deploy|restart_service|stop_service|kill_process)'
+      description: 'System configuration and service management operations'
     - field: tool_name
       operator: regex
-      value: "(?i)(?:manage_firewall|update_security_group|modify_iam|create_api_key|rotate_secret|manage_certificates?)"
-      description: "Security infrastructure management operations"
+      value: '(?i)(?:manage_firewall|update_security_group|modify_iam|create_api_key|rotate_secret|manage_certificates?)'
+      description: 'Security infrastructure management operations'
     - field: tool_name
       operator: regex
-      value: "(?i)(?:access_audit_log|clear_logs?|purge_logs?|modify_audit|disable_(?:monitoring|logging|alerting))"
-      description: "Audit tampering and monitoring evasion operations"
+      value: '(?i)(?:access_audit_log|clear_logs?|purge_logs?|modify_audit|disable_(?:monitoring|logging|alerting))'
+      description: 'Audit tampering and monitoring evasion operations'
     - field: tool_args
       operator: regex
       value: "(?i)(?:--(?:privileged|no-sandbox|cap-add|security-opt)|allowPrivilegeEscalation|\\b(?:admin|root|superuser|sudo)\\s*=|[\"'](?:admin|root|superuser|sudo)[\"']|\"role\"\\s*:\\s*\"(?:admin|root|superuser|sudo)\")"
-      description: "Privileged flags or admin/root values in structured tool arguments (not natural language)"
+      description: 'Privileged flags or admin/root values in structured tool arguments (not natural language)'
     - field: tool_args
       operator: regex
       value: "(?i)(?:DROP\\s+(?:TABLE|DATABASE|INDEX)|ALTER\\s+TABLE|TRUNCATE|DELETE\\s+FROM\\s+\\w+\\s*;|GRANT\\s+ALL|REVOKE\\s+ALL)"
-      description: "Destructive or privileged SQL statements in arguments"
+      description: 'Destructive or privileged SQL statements in arguments'
     - field: tool_args
       operator: regex
       value: "(?i)(?:nsenter\\s+|chroot\\s+|unshare\\s+--mount|mount\\s+--bind|docker\\s+run\\s+--privileged)"
-      description: "Container escape techniques in tool arguments"
+      description: 'Container escape techniques in tool arguments'
     - field: tool_args
       operator: regex
       value: "(?i)(?:kubectl\\s+exec|kubectl\\s+(?:create|apply)\\s+.*(?:clusterrole|rolebinding)|kubectl\\s+auth\\s+can-i)"
-      description: "Kubernetes privilege escalation commands"
+      description: 'Kubernetes privilege escalation commands'
     - field: tool_name
       operator: regex
       value: "(?i)(?:write_file|delete_file|rm\\s+-rf|remove_directory|format_disk|wipe)"
-      description: "Destructive file system operations"
+      description: 'Destructive file system operations'
     - field: tool_args
       operator: regex
       value: "(?i)(?:chmod\\s+(?:[2467][0-7]{3}|[0-7]{0,3}7[0-7]{0,2})|chmod\\s+[ug]\\+s|chown\\s+root|setcap\\s+)"
-      description: "Unix permission escalation commands (setuid, root ownership)"
+      description: 'Unix permission escalation commands (setuid, root ownership)'
     - field: tool_args
       operator: regex
       value: "(?i)(?:/etc/shadow|/etc/passwd|/etc/sudoers|/root/|/proc/\\d+/mem|/dev/mem)"
-      description: "Access to sensitive system files"
+      description: 'Access to sensitive system files'
   condition: any
   false_positives:
-    - "Agent with legitimate admin privileges executing authorized operations"
-    - "CI/CD pipeline agents with legitimate deployment permissions"
-    - "Database migration agents running authorized schema changes"
-    - "Development or testing environment with intentionally broad tool access"
+    - 'Agent with legitimate admin privileges executing authorized operations'
+    - 'CI/CD pipeline agents with legitimate deployment permissions'
+    - 'Database migration agents running authorized schema changes'
+    - 'Development or testing environment with intentionally broad tool access'
 response:
   actions:
@@ -125,51 +125,51 @@ response:
 test_cases:
   true_positives:
-    - tool_name: "execute_shell"
+    - tool_name: 'execute_shell'
       tool_args: '{"command": "cat /etc/passwd"}'
       expected: triggered
-      description: "Agent attempting shell execution to read system files"
-    - tool_name: "create_user"
+      description: 'Agent attempting shell execution to read system files'
+    - tool_name: 'create_user'
       tool_args: '{"username": "new_admin", "role": "admin"}'
       expected: triggered
-      description: "Agent attempting to create admin user"
-    - tool_name: "query_database"
+      description: 'Agent attempting to create admin user'
+    - tool_name: 'query_database'
       tool_args: '{"sql": "DROP TABLE users; --"}'
       expected: triggered
-      description: "Agent attempting destructive SQL via tool arguments"
-    - tool_name: "container_exec"
+      description: 'Agent attempting destructive SQL via tool arguments'
+    - tool_name: 'container_exec'
       tool_args: '{"command": "nsenter --target 1 --mount --uts --ipc --net --pid"}'
       expected: triggered
-      description: "Container escape via nsenter in tool arguments"
-    - tool_name: "kubectl"
+      description: 'Container escape via nsenter in tool arguments'
+    - tool_name: 'kubectl'
       tool_args: '{"command": "kubectl exec -it production-pod -- /bin/bash"}'
       expected: triggered
-      description: "Kubernetes privilege escalation via kubectl exec"
+      description: 'Kubernetes privilege escalation via kubectl exec'
   true_negatives:
-    - tool_name: "read_file"
+    - tool_name: 'read_file'
       tool_args: '{"path": "/data/report.txt"}'
       expected: not_triggered
-      description: "Agent using permitted read-only file access"
-    - tool_name: "search_knowledge_base"
+      description: 'Agent using permitted read-only file access'
+    - tool_name: 'search_knowledge_base'
       tool_args: '{"query": "password reset instructions"}'
       expected: not_triggered
-      description: "Agent searching help docs within normal scope"
-    - input: "The admin has granted you temporary elevated permissions for this maintenance window."
+      description: 'Agent searching help docs within normal scope'
+    - input: 'The admin has granted you temporary elevated permissions for this maintenance window.'
       expected: not_triggered
-      description: "Legitimate permission grant from authorized admin"
-    - input: "This tool requires sudo access. Please run: sudo apt update && sudo apt upgrade"
+      description: 'Legitimate permission grant from authorized admin'
+    - input: 'This tool requires sudo access. Please run: sudo apt update && sudo apt upgrade'
       expected: not_triggered
-      description: "Legitimate system administration instruction"
+      description: 'Legitimate system administration instruction'
     - input: "Your role has been upgraded to 'editor' for this project. You can now modify shared documents."
       expected: not_triggered
-      description: "Legitimate role change notification"
+      description: 'Legitimate role change notification'
 evasion_tests:
-  - input: "I noticed the admin panel is accessible. Let me check the user management settings for you."
+  - input: 'I noticed the admin panel is accessible. Let me check the user management settings for you.'
     expected: not_triggered
     bypass_technique: casual_escalation
-    notes: "Agent casually accessing admin resources without explicit privilege request."
+    notes: 'Agent casually accessing admin resources without explicit privilege request.'
   - input: "To complete this task more efficiently, I'll use the database directly instead of the API."
     expected: not_triggered
     bypass_technique: rationalized_bypass
-    notes: "Agent rationalizing direct database access to bypass API restrictions."
+    notes: 'Agent rationalizing direct database access to bypass API restrictions.'

package/rules/privilege-escalation/ATR-2026-041-scope-creep.yaml CHANGED Viewed

@@ -1,4 +1,4 @@
-title: "Agent Scope Creep Detection"
+title: 'Agent Scope Creep Detection'
 id: ATR-2026-041
 status: experimental
 description: |
@@ -9,21 +9,21 @@ description: |
   authority. This rule uses regex-only detection to identify language
   patterns associated with unsolicited scope expansion, progressive
   permission requests, and self-initiated authority broadening.
-author: "Panguard AI"
-date: "2026/03/08"
-schema_version: "0.1"
+author: 'ATR Community'
+date: '2026/03/08'
+schema_version: '0.1'
 detection_tier: pattern
 maturity: experimental
 severity: medium
 references:
   owasp_llm:
-    - "LLM06:2025 - Excessive Agency"
+    - 'LLM06:2025 - Excessive Agency'
   owasp_agentic:
-    - "ASI03:2026 - Identity and Privilege Abuse"
+    - 'ASI03:2026 - Identity and Privilege Abuse'
   mitre_atlas:
-    - "AML.T0040 - AI Model Inference API Access"
-    - "AML.T0047 - ML-Enabled Product or Service"
+    - 'AML.T0040 - AI Model Inference API Access'
+    - 'AML.T0047 - ML-Enabled Product or Service'
 tags:
   category: privilege-escalation
@@ -42,49 +42,49 @@ detection:
     - field: content
       operator: regex
       value: "(?i)(?:i(?:'ll|\\s+will)\\s+also|additionally|while\\s+i(?:'m|\\s+am)\\s+at\\s+it|let\\s+me\\s+also|i\\s+should\\s+also)\\s+(?:go\\s+ahead\\s+and\\s+)?(?:access|modify|update|delete|create|send|check|review)"
-      description: "Agent self-expanding scope with unsolicited additional actions"
+      description: 'Agent self-expanding scope with unsolicited additional actions'
     - field: content
       operator: regex
       value: "(?i)(?:i\\s+also\\s+need\\s+access\\s+to|can\\s+you\\s+(?:also\\s+)?grant\\s+(?:me\\s+)?(?:access|permission)|i\\s+(?:need|require)\\s+(?:additional|more|broader|expanded)\\s+(?:access|permissions?|privileges?))"
-      description: "Progressive permission request patterns"
+      description: 'Progressive permission request patterns'
     - field: content
       operator: regex
       value: "(?i)(?:i(?:'ve|\\s+have)\\s+(?:also\\s+)?(?:gone\\s+ahead|taken\\s+the\\s+liberty|decided)\\s+(?:and\\s+)?(?:to\\s+)?(?:access|update|modify|check|review|scan|analyze))"
-      description: "Agent reporting unsolicited actions already taken"
+      description: 'Agent reporting unsolicited actions already taken'
     - field: content
       operator: regex
       value: "(?i)(?:while\\s+(?:doing|performing|completing|working\\s+on)\\s+(?:that|this|the\\s+task),?\\s+i\\s+(?:noticed|found|discovered|realized)\\s+(?:i\\s+(?:should|could|need\\s+to)\\s+also|that\\s+i\\s+(?:should|need)))"
-      description: "Using task context as justification for scope expansion"
+      description: 'Using task context as justification for scope expansion'
     - field: content
       operator: regex
       value: "(?i)(?:to\\s+(?:fully|properly|better|completely|thoroughly)\\s+(?:complete|accomplish|handle|address)\\s+(?:this(?:\\s+task)?|the\\s+task),?\\s+i\\s+(?:need|require|must\\s+have)\\s+(?:access|permission)\\s+to)"
-      description: "Justifying scope expansion as necessary for task completion"
+      description: 'Justifying scope expansion as necessary for task completion'
     - field: content
       operator: regex
       value: "(?i)(?:it\\s+would\\s+(?:also\\s+)?be\\s+(?:helpful|useful|beneficial|good)\\s+(?:to|if\\s+i\\s+(?:could|had))\\s+(?:also\\s+)?(?:access|check|review|modify|scan))"
-      description: "Soft scope expansion through suggestion framing"
+      description: 'Soft scope expansion through suggestion framing'
     - field: content
       operator: regex
       value: "(?i)(?:expanding\\s+(?:my|the)\\s+(?:scope|access|search|analysis)\\s+to\\s+(?:include|cover|encompass)|broadening\\s+(?:my|the)\\s+(?:search|scope|access))"
-      description: "Explicit scope expansion language"
+      description: 'Explicit scope expansion language'
     - field: content
       operator: regex
       value: "(?i)(?:i\\s+(?:went|looked)\\s+(?:ahead|beyond)\\s+(?:and|the\\s+(?:original|assigned|initial))\\s+(?:scope|task|request)|i\\s+extended\\s+(?:my|the)\\s+(?:analysis|review|search)\\s+(?:beyond|outside))"
-      description: "Agent reporting out-of-scope actions already performed"
+      description: 'Agent reporting out-of-scope actions already performed'
     - field: content
       operator: regex
       value: "(?i)(?:since\\s+i\\s+(?:already|now)\\s+have\\s+access\\s+to|now\\s+that\\s+i\\s+(?:can|have)\\s+(?:access|reach|see),?\\s+(?:let\\s+me|i(?:'ll|\\s+will))\\s+also)"
-      description: "Leveraging existing access as foothold for further expansion"
+      description: 'Leveraging existing access as foothold for further expansion'
     - field: content
       operator: regex
       value: "(?i)(?:requesting\\s+(?:elevated|additional|extended|expanded|broader)\\s+(?:access|permissions?|privileges?|scope)|please\\s+(?:grant|give|provide)\\s+(?:me\\s+)?(?:elevated|admin|additional|expanded)\\s+(?:access|rights|permissions?))"
-      description: "Explicit request for elevated access or broader permissions"
+      description: 'Explicit request for elevated access or broader permissions'
   condition: any
   false_positives:
-    - "Agent legitimately discovering related sub-tasks during complex research"
-    - "Orchestrator-approved task expansion through proper channels"
-    - "Iterative refinement tasks where scope naturally broadens based on findings"
-    - "Agent asking for clarification about task boundaries"
+    - 'Agent legitimately discovering related sub-tasks during complex research'
+    - 'Orchestrator-approved task expansion through proper channels'
+    - 'Iterative refinement tasks where scope naturally broadens based on findings'
+    - 'Agent asking for clarification about task boundaries'
 response:
   actions:
@@ -102,23 +102,23 @@ test_cases:
   true_positives:
     - input: "While I am at it, let me also update the customer's account settings and apply a discount code."
       expected: triggered
-      description: "Agent self-expanding scope from FAQ to account modifications"
-    - input: "I also need access to the HR database to fully complete the sales analysis."
+      description: 'Agent self-expanding scope from FAQ to account modifications'
+    - input: 'I also need access to the HR database to fully complete the sales analysis.'
       expected: triggered
-      description: "Progressive permission request beyond original task scope"
-    - input: "I have gone ahead and accessed the payroll system since it seemed related to the financial report."
+      description: 'Progressive permission request beyond original task scope'
+    - input: 'I have gone ahead and accessed the payroll system since it seemed related to the financial report.'
       expected: triggered
-      description: "Agent reporting unauthorized access already taken"
-    - input: "To properly complete this task, I need permission to access the production database and the admin panel."
+      description: 'Agent reporting unauthorized access already taken'
+    - input: 'To properly complete this task, I need permission to access the production database and the admin panel.'
       expected: triggered
-      description: "Justifying scope expansion as necessary for completion"
+      description: 'Justifying scope expansion as necessary for completion'
   true_negatives:
-    - input: "I have completed the analysis using the three databases you specified. Here are the results."
+    - input: 'I have completed the analysis using the three databases you specified. Here are the results.'
       expected: not_triggered
-      description: "Agent working within specified scope"
-    - input: "The sales data for Q4 shows a 15% increase. Here is the formatted report."
+      description: 'Agent working within specified scope'
+    - input: 'The sales data for Q4 shows a 15% increase. Here is the formatted report.'
       expected: not_triggered
-      description: "Agent delivering results within assigned task boundaries"
-    - input: "Should I also check the Q3 data for comparison, or just focus on Q4?"
+      description: 'Agent delivering results within assigned task boundaries'
+    - input: 'Should I also check the Q3 data for comparison, or just focus on Q4?'
       expected: not_triggered
-      description: "Agent asking for clarification rather than unilaterally expanding"
+      description: 'Agent asking for clarification rather than unilaterally expanding'