agent-threat-rules 2.0.14 → 2.0.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-threat-rules",
-  "version": "2.0.14",
+  "version": "2.0.15",
   "type": "module",
   "description": "Open detection standard -- like Sigma, but for AI agents. 311 rules for prompt injection, tool poisoning, context exfiltration, and MCP attacks. Shipped in Cisco AI Defense. 97.1% recall on NVIDIA garak.",
   "main": "./dist/index.js",

package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml

@@ -32,6 +32,45 @@ references:
     - "AML.T0056 - LLM Meta Prompt Extraction"
     - "AML.T0051 - LLM Prompt Injection"
 
+compliance:
+  owasp_agentic:
+    - id: ASI01:2026
+      context: "Revealing system prompt content enables adversaries to map agent constraints and craft targeted bypass attacks, directly enabling future Agent Goal Hijack attacks classified under ASI01."
+      strength: primary
+    - id: ASI06:2026
+      context: "System prompt leakage exposes the agent's memory and context configuration to adversaries, falling under ASI06 Memory and Context Poisoning as an information disclosure precursor."
+      strength: secondary
+  owasp_llm:
+    - id: LLM07:2025
+      context: "This rule is the primary detection implementation for LLM07:2025 System Prompt Leakage, covering direct quotation, instruction paraphrasing, guardrail revelation, and config exposure in agent output."
+      strength: primary
+    - id: LLM02:2025
+      context: "System prompt content constitutes sensitive operational information; its disclosure in agent output also satisfies the LLM02:2025 Sensitive Information Disclosure category."
+      strength: secondary
+  eu_ai_act:
+    - article: "13"
+      context: "While transparency is required toward users, internal guardrail and system-prompt disclosure to adversaries violates Article 13 by exposing configurations that undermine safe operation of the AI system."
+      strength: primary
+    - article: "12"
+      context: "Detection events generated by this rule serve as Article 12 automatic log records of system-prompt leakage incidents, enabling post-incident review by deployers."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Govern
+      subcategory: GV.6.1
+      context: "Organizational policies for AI data and privacy (GV.6.1) must cover protection of internal operational configurations; this rule enforces that policy at runtime."
+      strength: primary
+    - function: Measure
+      subcategory: MS.2.5
+      context: "Measuring the effectiveness of data protection controls for AI systems (MS.2.5) requires detection of unauthorized disclosure of system-level configurations."
+      strength: secondary
+  iso_42001:
+    - clause: "8.4"
+      context: "Clause 8.4 AI system impact assessment identifies confidential operational parameters as assets requiring protection; this rule detects when those assets are disclosed in output."
+      strength: primary
+    - clause: "9.1"
+      context: "Clause 9.1 monitoring and evaluation requires measuring AI system behavior against expected norms; system prompt disclosure events are anomalies that must be measured and reported."
+      strength: secondary
+
 tags:
   category: context-exfiltration
   subcategory: system-prompt-leak

package/rules/context-exfiltration/ATR-2026-00021-api-key-exposure.yaml

@@ -29,6 +29,43 @@ references:
     - "AML.T0057 - LLM Data Leakage"
     - "AML.T0055 - Unsecured Credentials"
 
+compliance:
+  owasp_agentic:
+    - id: ASI03:2026
+      context: "Credential exposure in agent output enables adversaries to abuse the identity and privileges associated with leaked keys, directly enabling unauthorized resource access classified under ASI03."
+      strength: primary
+  owasp_llm:
+    - id: LLM02:2025
+      context: "API keys, tokens, private keys, and database credentials are sensitive information whose disclosure in agent output is the canonical LLM02:2025 Sensitive Information Disclosure scenario."
+      strength: primary
+    - id: LLM07:2025
+      context: "Credentials embedded in or derived from system prompts that appear in agent output constitute a LLM07:2025 System Prompt Leakage incident with direct security impact."
+      strength: secondary
+  eu_ai_act:
+    - article: "12"
+      section: "1"
+      context: "Article 12 requires automatic logging of events; a credential exposure incident is a high-severity event that must be automatically recorded and reported to the deployer for incident investigation."
+      strength: primary
+    - article: "9"
+      context: "Credential leakage is a documented risk class in the AI system risk management plan; Article 9 requires that monitoring controls are implemented to detect and respond to such events."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Govern
+      subcategory: GV.6.1
+      context: "GV.6.1 requires organizational policies governing sensitive data and credentials in AI systems; this rule enforces those policies by detecting credential exposure at runtime."
+      strength: primary
+    - function: Manage
+      subcategory: MG.3.1
+      context: "Credential exposure requires an immediate risk treatment response; this detection rule is the technical implementation of the risk treatment plan for credential leakage events."
+      strength: secondary
+  iso_42001:
+    - clause: "8.4"
+      context: "Clause 8.4 AI system impact assessment must identify credential leakage as a high-severity impact scenario; this rule generates the detection evidence needed for audit and impact reporting."
+      strength: primary
+    - clause: "6.2"
+      context: "Protecting credentials from exposure is an explicit AIMS information security objective under clause 6.2; detection of leakage events measures whether this objective is being achieved."
+      strength: secondary
+
 tags:
   category: context-exfiltration
   subcategory: credential-exposure

package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml

@@ -29,6 +29,46 @@ references:
   mitre_atlas:
     - AML.T0051.001 - Indirect Prompt Injection
     - AML.T0020 - Poison Training Data
+
+compliance:
+  owasp_agentic:
+    - id: ASI06:2026
+      context: "Injecting hidden directives into RAG-retrieved documents or knowledge base entries is the primary ASI06 Memory and Context Poisoning attack — the agent's context window is contaminated with attacker-controlled instructions."
+      strength: primary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "Hidden instruction markers and role-override commands embedded in retrieved content deliver indirect prompt injection through the data layer, satisfying the LLM01:2025 Prompt Injection category via the RAG attack surface."
+      strength: primary
+    - id: LLM03:2025
+      context: "Poisoned knowledge base entries injected into the supply chain of training or retrieval data satisfy the LLM03:2025 Supply Chain Vulnerabilities category at the data tier."
+      strength: secondary
+    - id: LLM08:2025
+      context: "Malicious vector store entries that cause the agent to retrieve and act on attacker-controlled instructions fall under LLM08:2025 Excessive Agency triggered by contaminated retrieval context."
+      strength: partial
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 accuracy and robustness requirements demand that AI systems maintain reliable behavior even when training or retrieval data is adversarially contaminated; this rule detects such contamination in the data pipeline."
+      strength: primary
+    - article: "9"
+      context: "Data poisoning of RAG pipelines is a documented risk requiring monitoring controls under Article 9; detection events from this rule provide the evidence trail for risk management reporting."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Map
+      subcategory: MP.5.1
+      context: "Adversarial manipulation of retrieval data is an AI-specific risk source requiring identification; this rule maps data poisoning attempts as they occur in the production pipeline."
+      strength: primary
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Active detection of data poisoning events implements the risk treatment for the data contamination risk identified in the AI risk register."
+      strength: secondary
+  iso_42001:
+    - clause: "8.3"
+      context: "Clause 8.3 data governance for AI systems requires controls ensuring data integrity; detection of hidden directives in retrieved content is the runtime enforcement of clause 8.3 data quality requirements."
+      strength: primary
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security planning must include controls for adversarial data injection into AI pipelines; this rule operationalizes the detection measure for that planning objective."
+      strength: secondary
+
 tags:
   category: data-poisoning
   subcategory: rag-and-knowledge-poisoning

package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml

@@ -25,6 +25,43 @@ references:
   mitre_atlas:
     - AML.T0053 - LLM Plugin Compromise
     - AML.T0046 - Spamming ML System with Chaff Data
+
+compliance:
+  owasp_agentic:
+    - id: ASI05:2026
+      context: "Runaway agent loops represent uncontrolled autonomous execution — the agent performs repeated identical actions without human intervention, satisfying the ASI05 Unexpected Code Execution category at the behavioral level."
+      strength: primary
+  owasp_llm:
+    - id: LLM06:2025
+      context: "An agent running infinite retry loops without termination conditions exercises excessive agency beyond its task scope, accumulating costs and resource consumption classified under LLM06:2025."
+      strength: primary
+    - id: LLM10:2025
+      context: "Runaway loops that exhaust compute resources, API rate limits, or accumulated context constitute an LLM10:2025 Unbounded Consumption incident with direct financial and availability impact."
+      strength: secondary
+  eu_ai_act:
+    - article: "14"
+      context: "Article 14 human oversight requires that AI systems can be stopped and corrected; runaway loops that resist termination or mask their loop state undermine the human override capability Article 14 mandates."
+      strength: primary
+    - article: "15"
+      context: "Article 15 robustness requires that AI systems handle failure states gracefully; detection of runaway loops is a monitoring control ensuring the system does not enter unrecoverable autonomous states."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.3.2
+      context: "Runaway agent loops are an AI system failure mode requiring active detection and termination; this rule implements the MG.3.2 response capability for AI failures and disruptions."
+      strength: primary
+    - function: Govern
+      subcategory: GV.1.2
+      context: "GV.1.2 accountability roles must include responsibility for detecting and halting runaway agent behavior; this rule provides the signal required to fulfill that accountability."
+      strength: secondary
+  iso_42001:
+    - clause: "8.6"
+      context: "Clause 8.6 AI system operational control requires monitoring for abnormal execution patterns; runaway loop detection is the primary operational control for this failure class."
+      strength: primary
+    - clause: "9.1"
+      context: "Clause 9.1 monitoring and evaluation requires measuring AI system behavior against expected norms; loop counter patterns are the measurable anomaly indicators for this rule."
+      strength: secondary
+
 tags:
   category: excessive-autonomy
   subcategory: runaway-loop

package/rules/privilege-escalation/ATR-2026-00040-privilege-escalation.yaml

@@ -30,6 +30,40 @@ references:
     - T1611 - Escape to Host
   cve:
     - CVE-2026-0628
+
+compliance:
+  owasp_agentic:
+    - id: ASI03:2026
+      context: "Privilege escalation via tool permission abuse or admin function invocation is the primary ASI03 Identity and Privilege Abuse scenario — the agent acquires capabilities exceeding its authorized scope."
+      strength: primary
+  owasp_llm:
+    - id: LLM06:2025
+      context: "An agent requesting tools with elevated permissions beyond its assigned role is the canonical LLM06:2025 Excessive Agency scenario, operationalized here via tool-name and argument pattern detection."
+      strength: primary
+  eu_ai_act:
+    - article: "14"
+      context: "Article 14 requires that humans can oversee and intervene in AI system operation; privilege escalation techniques that bypass system-level controls directly undermine the human oversight mechanisms Article 14 mandates."
+      strength: primary
+    - article: "9"
+      context: "Privilege escalation is a documented high-severity risk in the AI system risk register; Article 9 requires monitoring controls to detect and respond to such scope violations."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Govern
+      subcategory: GV.1.2
+      context: "GV.1.2 requires defined accountability roles and controls for AI system permissions; detection of privilege escalation enforces least-privilege boundaries established in the governance framework."
+      strength: primary
+    - function: Manage
+      subcategory: MG.4.1
+      context: "Privilege escalation events require an incident response; this rule generates the alerts needed to initiate the MG.4.1 AI incident response process."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security objectives include least-privilege enforcement for AI agent operations; this rule detects violations of those objectives at runtime."
+      strength: primary
+    - clause: "8.6"
+      context: "Clause 8.6 AI system operational control requires that agents do not exceed their authorized operational scope; privilege escalation detection enforces that operational boundary."
+      strength: secondary
+
 tags:
   category: privilege-escalation
   subcategory: tool-permission-escalation

package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml

@@ -30,6 +30,39 @@ references:
     - "CVE-2024-3402"
     - "CVE-2025-53773"
 
+compliance:
+  owasp_agentic:
+    - id: ASI01:2026
+      context: "Direct prompt injection is the canonical agent goal hijack vector — adversarial user input overrides the agent's assigned objectives and behavioral constraints via instruction-override verbs, persona switching, and encoding obfuscation."
+      strength: primary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "This rule is the primary runtime implementation of the LLM01:2025 Prompt Injection category, covering instruction-override verbs, fake system delimiters, restriction removal, and encoding-wrapped payloads."
+      strength: primary
+  eu_ai_act:
+    - article: "15"
+      context: "High-risk AI systems must be resilient against adversarial attempts to alter output or behavior. Deployment of this detection rule satisfies the Article 15 requirement to implement technical measures ensuring robustness against manipulation."
+      strength: primary
+    - article: "9"
+      context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Treating direct prompt injection as an identified AI risk requires active runtime countermeasures; this detection rule is the primary risk treatment implementation."
+      strength: primary
+    - function: Map
+      subcategory: MP.5.1
+      context: "Identifying adversarial input manipulation as an AI risk to be catalogued in the organizational risk register."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Addressing adversarial manipulation risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
+      strength: primary
+    - clause: "8.4"
+      context: "Impact assessment for AI deployments under clause 8.4 must account for adversarial user inputs; detection events from this rule provide the required monitoring evidence."
+      strength: secondary
+
 tags:
   category: prompt-injection
   subcategory: direct

package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml

@@ -33,6 +33,42 @@ references:
     - "CVE-2025-32711"
     - "CVE-2026-24307"
 
+compliance:
+  owasp_agentic:
+    - id: ASI01:2026
+      context: "Indirect prompt injection hijacks agent goals via externally-consumed content (documents, web pages, API responses); the agent processes attacker-controlled instructions without user awareness."
+      strength: primary
+    - id: ASI06:2026
+      context: "Injection via external content poisons the agent's context window and memory with attacker-controlled directives, satisfying the ASI06 Memory and Context Poisoning category."
+      strength: secondary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "Indirect prompt injection via HTML comments, zero-width characters, hidden CSS text, and data URIs is a primary LLM01 attack variant delivered through external content rather than direct user input."
+      strength: primary
+  eu_ai_act:
+    - article: "15"
+      context: "High-risk AI systems must resist adversarial content embedded in external inputs. Detection of hidden injection payloads in consumed documents satisfies Article 15 robustness and cybersecurity requirements."
+      strength: primary
+    - article: "9"
+      context: "Indirect injection from third-party content sources is a documented risk category requiring mitigation controls under Article 9 risk management obligations."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Runtime detection of injection payloads embedded in third-party content implements the risk treatment for indirect prompt injection identified in the AI risk register."
+      strength: primary
+    - function: Map
+      subcategory: MP.3.3
+      context: "External content providers are third-party components in the AI supply chain; this rule identifies their attack surface as a risk source."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS planning requires controls for externally-sourced risks; this rule operationalizes the detection measure for indirect injection via consumed content."
+      strength: primary
+    - clause: "8.5"
+      context: "Externally-provided content processed by the agent falls under clause 8.5 control of externally-provided processes; this rule validates that external content does not contain adversarial directives."
+      strength: secondary
+
 tags:
   category: prompt-injection
   subcategory: indirect

package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml

@@ -26,6 +26,43 @@ references:
     - AML.T0010 - ML Supply Chain Compromise
   mitre_attack:
     - T1195 - Supply Chain Compromise
+
+compliance:
+  owasp_agentic:
+    - id: ASI04:2026
+      context: "MCP skill impersonation via typosquatting, namespace collision, and version spoofing is the primary ASI04 Agentic Supply Chain Vulnerabilities attack vector — malicious skills masquerade as trusted tools to gain agent execution context."
+      strength: primary
+  owasp_llm:
+    - id: LLM03:2025
+      context: "Typosquatted and impersonated MCP skills are supply chain compromise artifacts targeting the tool ecosystem; this rule implements LLM03:2025 Supply Chain Vulnerabilities detection at the skill-name level."
+      strength: primary
+    - id: LLM05:2025
+      context: "An agent invoking an impersonated skill may receive malicious responses that require LLM05:2025 Improper Output Handling controls; this rule prevents the initial tool invocation before output is processed."
+      strength: secondary
+  eu_ai_act:
+    - article: "13"
+      context: "Article 13 transparency requires that AI systems operate with clearly identified components; skill impersonation violates this requirement by substituting unauthorized tools that appear legitimate."
+      strength: primary
+    - article: "9"
+      context: "Supply chain compromise via malicious skill registries is a documented risk requiring monitoring controls under Article 9; skill-name pattern detection is the runtime enforcement of those controls."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Map
+      subcategory: MP.2.3
+      context: "Identifying typosquatted and impersonated MCP skills as AI supply chain risks implements MP.2.3 AI supply chain risk identification at the tool-registry level."
+      strength: primary
+    - function: Govern
+      subcategory: GV.1.2
+      context: "GV.1.2 accountability roles must include responsibility for validating third-party tool integrity; this rule provides the automated signal needed to fulfill that governance obligation."
+      strength: secondary
+  iso_42001:
+    - clause: "8.5"
+      context: "MCP skills are externally-provided AI-related components under clause 8.5; this rule enforces controls over externally-provided tools by detecting impersonation before invocation."
+      strength: primary
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security planning requires controls for third-party component integrity; skill impersonation detection operationalizes that planning objective at runtime."
+      strength: secondary
+
 tags:
   category: skill-compromise
   subcategory: skill-impersonation

package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml

@@ -40,6 +40,45 @@ references:
     - "CVE-2025-59536"
     - "CVE-2026-21852"
 
+compliance:
+  owasp_agentic:
+    - id: ASI02:2026
+      context: "Malicious content injected via MCP tool responses is the primary ASI02 Tool Misuse and Exploitation vector — a compromised or impersonated MCP server weaponizes the tool call interface to deliver shells, encoded payloads, and privilege escalation commands."
+      strength: primary
+    - id: ASI05:2026
+      context: "Shell commands and code execution payloads in tool responses aim to trigger unexpected code execution by the agent, falling under the ASI05 Unexpected Code Execution category."
+      strength: secondary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "Prompt injection delivered through MCP tool responses is an indirect LLM01:2025 attack variant where the injection payload is embedded in tool output rather than user input."
+      strength: primary
+    - id: LLM05:2025
+      context: "Failure to validate MCP tool response content before agent processing is a LLM05:2025 Improper Output Handling scenario enabling downstream command injection and reverse shell execution."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "MCP tool response injection attacks the cybersecurity integrity of the AI system; Article 15 requires technical measures ensuring the system can resist such third-party content attacks."
+      strength: primary
+    - article: "9"
+      context: "Compromised MCP server responses are a documented attack surface in the AI system risk register; Article 9 requires detection controls to manage this identified risk."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Runtime detection of malicious MCP tool responses is the primary risk treatment for tool-poisoning attacks identified in the AI risk register."
+      strength: primary
+    - function: Map
+      subcategory: MP.3.3
+      context: "MCP servers are third-party components in the AI tool ecosystem; identifying malicious tool responses is an MP.3.3 third-party component risk detection action."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security planning requires controls for third-party tool interfaces; this rule operationalizes the detection measure for malicious content delivered via MCP."
+      strength: primary
+    - clause: "8.5"
+      context: "MCP server integrations are externally-provided AI-related processes under clause 8.5; this rule validates that external tool responses do not contain adversarial payloads before the agent acts on them."
+      strength: secondary
+
 tags:
   category: tool-poisoning
   subcategory: mcp-response-injection