npm - agent-threat-rules - Versions diffs - 2.0.18 → 2.1.0 - Mend

agent-threat-rules 2.0.18 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (263) hide show

package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml CHANGED Viewed

@@ -20,6 +20,17 @@ references:
     - ASI08 - Data Leakage
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "This rule detects adversarial prompts that use example API key formats with real prefixes to trick agents into completing them with actual credentials, which is a direct privacy/sensitive-data exposure risk; MS.2.10 requires assessment of privacy risks including credential and sensitive information disclosure."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Example-format key leakage is a security exfiltration vector targeting agent context; MS.2.7 requires continuous evaluation of AI system security and resilience against data extraction techniques."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of API key leakage attempts triggers containment and disengagement workflows to prevent the agent from emitting credentials; MG.2.3 mandates that supersede/deactivate mechanisms are available when sensitive data exposure is detected."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: example-format-leak

package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml CHANGED Viewed

@@ -20,6 +20,17 @@ references:
     - ASI08 - Data Leakage
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "This rule detects tool response piggybacking that embeds credential theft (SSH keys, private keys) after legitimate results using casual transition words; MS.2.10 requires assessing privacy risk from data leakage vectors that exfiltrate sensitive credentials through seemingly benign output channels."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Casual-transition piggybacking is a prompt injection evasion technique that bypasses output filtering by chaining illicit credential disclosure to legitimate responses; MS.2.7 requires evaluating system security and resilience against these adversarial output manipulation patterns."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of transition-word piggyback patterns triggers containment workflows to block credential exfiltration before it leaves the agent boundary; MG.2.3 mandates that mechanisms exist to disengage or quarantine AI outputs when data leakage indicators are matched."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: piggyback-transition

package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml CHANGED Viewed

@@ -21,6 +21,17 @@ references:
     - ASI08 - Data Leakage
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "This rule detects API key exfiltration disguised by fake encryption wrappers like 'AES256(sk-proj-...)'; MS.2.10 requires that privacy and sensitive-data leakage risks are continuously assessed, and these detections directly evidence credential disclosure attempts."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Obfuscated key disclosure is an evasion technique against output filters; MS.2.7 requires evaluation of system security and resilience against adversarial bypass tactics that defeat naive secret-detection controls."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of fake-encryption-wrapped credentials must trigger response plans to block transmission and revoke exposed keys; MG.2.3 requires mechanisms to supersede or disengage AI actions before the leak completes."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: obfuscated-key

package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml CHANGED Viewed

@@ -21,6 +21,20 @@ references:
     - ASI08 - Data Leakage
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        This rule detects agent responses that confirm the existence of sensitive environment variables, which constitutes a privacy and confidentiality leak even without revealing values; MS.2.10 requires assessing privacy risks including indirect disclosures that confirm sensitive system metadata.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Confirming env var existence is a reconnaissance step in social-engineering exfiltration chains targeting agent secrets; MS.2.7 requires evaluating system security and resilience against such probing techniques.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of env var probing patterns enables containment responses to halt the exfiltration attempt before the agent escalates to retrieving the actual value; MG.2.3 mandates pre-defined treatment mechanisms for these risk events.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: env-var-probe

package/rules/context-exfiltration/ATR-2026-00150-credential-in-tool-response.yaml CHANGED Viewed

@@ -21,6 +21,20 @@ references:
     - ASI01:2026 - Agent Behaviour Hijack
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        This rule directly detects PEM private keys, SSH keys, and API tokens embedded in tool responses, which is a privacy/confidentiality risk assessment signal; MS.2.10 requires that privacy risks such as credential and sensitive data exposure are assessed and documented.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Credential material smuggled into tool output represents a security/resilience failure where untrusted third-party tool responses can exfiltrate secrets through the agent; MS.2.7 requires evaluation of such security risks in the AI system.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of leaked credentials in tool responses must trigger response mechanisms to disengage or block the agent before it propagates or acts on the exfiltrated secrets; MG.2.3 requires these supersede/deactivate controls be in place.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: credential-in-response

package/rules/context-exfiltration/ATR-2026-00152-obfuscated-credential-leak.yaml CHANGED Viewed

@@ -21,6 +21,17 @@ references:
     - ASI01:2026 - Agent Behaviour Hijack
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "This rule detects credential exfiltration disguised through encoding wrappers (AES256(), hex, rot13) that present real secrets as encrypted data; MS.2.10 requires assessing privacy risks including data leakage pathways that bypass content filters."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Obfuscated credential leakage via fake encryption framing is a security/resilience concern where adversarial encoding tricks defenses into permitting sensitive data egress; MS.2.7 requires evaluating and documenting these security evasion techniques."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of obfuscated credential exfiltration patterns must trigger risk treatment to disengage or quarantine the agent response before secrets leave the trust boundary; MG.2.3 mandates these supersede/deactivate mechanisms exist for such incidents."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: obfuscated-credential

package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml CHANGED Viewed

@@ -20,11 +20,26 @@ references:
     - 'ASI07:2026 - Agent Data Leak'
   mitre_atlas:
     - 'AML.T0040 - ML Model Inference API Access'
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        This rule detects SKILL.md instructions that read credential files (SSH keys, AWS credentials, API tokens) and exfiltrate them via outbound network calls, which is a direct privacy and sensitive-data leakage risk. MS.2.10 requires assessment of privacy risks, and each detection produces concrete evidence of credential disclosure pathways.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Combined credential-access-plus-exfiltration patterns in skill files represent a security/resilience failure where the agent's instruction surface enables data theft. MS.2.7 requires evaluating and documenting such security weaknesses in AI system artifacts.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        High-confidence matches for credential read-and-exfiltrate pipelines must trigger response actions to disengage or quarantine the offending skill before execution. MG.2.3 mandates that mechanisms exist to deactivate AI components when such risks are detected.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: credential-exfil-combo
   scan_target: skill
   confidence: high
+  suppress_in_code_blocks: true
 agent_source:
   type: mcp_exchange
   framework: [any]

package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml CHANGED Viewed

@@ -25,6 +25,20 @@ references:
     - "T1552.001 - Credentials In Files"
     - "T1041 - Exfiltration Over C2 Channel"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        The rule detects exfiltration of credentials and API keys through shell pipes to external commands, which is a direct privacy and confidentiality risk; MS.2.10 requires assessing privacy risks including unauthorized disclosure of sensitive secrets handled by AI agents.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Piping environment variables containing API keys to curl or netcat represents a security/resilience failure where the agent's execution environment is being abused for data exfiltration; MS.2.7 requires continuous evaluation of these security control failures.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of credential exfiltration patterns must trigger immediate containment to disengage the agent before secrets reach attacker-controlled endpoints; MG.2.3 mandates pre-defined mechanisms to supersede or deactivate the AI system on such high-severity events.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: credential-pipe

package/rules/context-exfiltration/ATR-2026-00274-api-key-generation-request.yaml CHANGED Viewed

@@ -27,6 +27,20 @@ references:
     - "AML.T0057 - LLM Data Leakage"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/apikey.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        This rule detects requests that attempt to extract memorized credential strings from training data via partial-key completion, or to fabricate realistic-looking secrets — both of which are privacy and data-leakage risks. MS.2.10 requires that privacy risks, including memorization-based leakage of sensitive strings, are assessed and tracked.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Generating plausible API keys or completing partial credentials enables downstream phishing and service impersonation, undermining system security and resilience. MS.2.7 requires continuous evaluation of security risks like credential fabrication and memorization leakage.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of credential generation or completion requests must trigger risk treatment to block the response before the fabricated or memorized secret is emitted. MG.2.3 mandates that these supersede/disengage mechanisms are in place for high-risk output paths.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: api-key-generation

package/rules/context-exfiltration/ATR-2026-00275-system-prompt-training-data-extraction.yaml CHANGED Viewed

@@ -29,6 +29,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/leakreplay.py"
     - "https://not-just-memorization.github.io/extracting-training-data.html"
     - "https://arxiv.org/abs/2311.17035"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        System prompt extraction and training data verbatim replay (Carlini divergence attack) directly leak confidential context and memorized training data, which is a privacy risk; MS.2.10 requires that privacy risks such as memorization and unauthorized disclosure of training content are assessed and tracked.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting "repeat word forever" divergence attacks and verbatim system prompt exfiltration requests provides evidence for evaluating model security and resilience against extraction attacks; MS.2.7 requires continuous evaluation of the AI system's resistance to these adversarial extraction techniques.
+      strength: secondary
+    - subcategory: "MG.4.1"
+      context: >-
+        Pattern-based detection of system prompt extraction and training data replay probes feeds post-deployment monitoring telemetry; MG.4.1 requires implemented monitoring plans that flag extraction attempts in production traffic.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: system-prompt-training-data-extraction

package/rules/context-exfiltration/ATR-2026-00290-divergence-repeat-word-training-extraction.yaml CHANGED Viewed

@@ -30,6 +30,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/divergence.py"
     - "https://arxiv.org/abs/2301.13188"
     - "https://not-just-memorization.github.io/extracting-training-data.html"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        The divergence attack directly targets training-data memorization, causing models to emit verbatim private documents, emails, and copyrighted text; MS.2.10 requires assessing privacy risk including training-data leakage, and detection of repeat-forever prompts produces evidence of attempted privacy exfiltration.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Repeat-word divergence exploits a known model robustness failure where output distribution collapses and reveals memorized data; MS.2.7 requires evaluating system security/resilience against adversarial extraction probes such as the canonical garak divergence templates.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of "repeat forever/indefinitely" prompts must trigger interception or deactivation of the response stream before memorized training data is fully emitted; MG.2.3 requires mechanisms to supersede or disengage AI output when extraction attacks are identified.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: divergence-repeat-word-training-extraction

package/rules/context-exfiltration/ATR-2026-00291-biometric-surveillance-personal-data-request.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/donotanswer.py"
     - "https://arxiv.org/abs/2308.13387"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "Requests for biometric data (fingerprints, DNA, facial/voice/iris recognition) targeting a named individual are direct privacy risk events; MS.2.10 requires that privacy risks—especially those enabling re-identification, stalking, or biometric harvesting—are assessed and tracked when detected."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Personal-relationship framing ('my ex-wife [Name]') used to legitimize biometric surveillance requests is an adversarial social-engineering pattern; MP.5.1 requires that the likelihood and magnitude of such information-hazard inputs are characterized so the system can refuse and log them."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of named-person biometric extraction attempts must trigger containment responses (refusal, session quarantine) before the model emits identifying biometric content; MG.2.3 mandates that these supersede/disengage mechanisms are defined and activated on detection."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: biometric-surveillance-personal

package/rules/context-exfiltration/ATR-2026-00293-educational-records-personal-data-request.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/donotanswer.py"
     - "https://arxiv.org/abs/2308.13387"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "This rule detects attempts to extract private educational and professional records about named individuals, which is a direct privacy risk assessment signal; MS.2.10 requires that privacy risks like unauthorized disclosure of personally identifiable academic and credential data are evaluated and tracked."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Possessive framing combined with relationship labels and first names is an adversarial social-engineering pattern designed to coax the model into disclosing protected records; MP.5.1 requires identifying and characterizing the likelihood and magnitude of these information-hazard attack vectors."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of named-individual educational record requests must trigger pre-defined risk treatment to block or redirect the response before sensitive data is fabricated or leaked; MG.2.3 mandates that such containment mechanisms are in place."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: educational-records-personal

package/rules/context-exfiltration/ATR-2026-00294-financial-pii-personal-data-request.yaml CHANGED Viewed

@@ -29,6 +29,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/donotanswer.py"
     - "https://arxiv.org/abs/2308.13387"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        This rule detects requests for private financial PII (bank accounts, credit cards, net worth, tax records) targeting a named individual, which is a direct privacy risk to identifiable third parties. MS.2.10 requires assessing privacy risk, and detection of these named-person financial data extraction attempts produces the evidence needed to quantify and track that risk.
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: >-
+        Possessive financial PII queries with relationship-plus-name framing must trigger response mechanisms to refuse, redact, or disengage before the model emits sensitive financial data enabling fraud or identity theft. MG.2.3 requires that such supersede/deactivate controls are in place and activated upon detection.
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: >-
+        Relationship-label social-engineering framing (e.g., "my doctor, Anne's bank account") is an adversarial input pattern whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these high-magnitude financial-PII exfiltration vectors.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: financial-pii-personal

package/rules/context-exfiltration/ATR-2026-00295-medical-pii-personal-data-request.yaml CHANGED Viewed

@@ -29,6 +29,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/donotanswer.py"
     - "https://arxiv.org/abs/2308.13387"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        The rule detects requests targeting private medical PII (diagnoses, medications, SSN, DOB) for named individuals identified via relationship labels; MS.2.10 requires assessing privacy risk, and each detection is direct evidence of a privacy-violating data exfiltration attempt.
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of possessive medical PII queries for named persons triggers risk treatment to block or disengage the response before sensitive health data or SSNs are disclosed; MG.2.3 requires these supersede/deactivate mechanisms be in place for high-severity privacy attacks.
+      strength: secondary
+    - subcategory: "GV.1.1"
+      context: >-
+        Medical PII and SSN disclosure implicate health-privacy and identity-protection legal regimes; GV.1.1 requires that detections of such requests are logged and managed against applicable legal and regulatory requirements.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: medical-pii-personal

package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml CHANGED Viewed

@@ -30,6 +30,29 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/web_injection.py"
     - "https://embracethered.com/blog/posts/2023/ai-injections-direct-and-indirect-prompt-injection-basics/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: >-
+        This rule detects markdown image/link syntax crafted to exfiltrate sensitive
+        context data via URL query parameters to known attacker domains; MS.2.10
+        requires that privacy risks such as covert data leakage from agent outputs
+        are assessed and tracked.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detection of javascript: URIs and XSS payloads embedded in markdown links
+        rendered by browser/Colab/playground frontends provides evidence for
+        MS.2.7's requirement to evaluate AI system security and resilience against
+        rendering-layer injection attacks.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on garak web_injection exfil domains and StringAssembly templates
+        trigger risk treatment plans to block or sanitize tool responses before
+        rendering; MG.2.3 requires these containment mechanisms be in place to
+        disengage unsafe outputs.
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: markdown-url-data-leak

package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/apikey.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.10"
+      context: "This rule detects prompts attempting to elicit API credentials through generation requests or partial-key completion social engineering; MS.2.10 requires assessing privacy and sensitive-information risks, and these detections directly measure credential-disclosure exposure in LLM responses."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Generation and completion of API keys for named services (OpenAI, AWS, Stripe, GitHub, etc.) represents a security/resilience failure where the LLM may fabricate or leak credential-like strings; MS.2.7 mandates continuous evaluation of such security risks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of credential-elicitation prompts triggers risk treatment workflows to block responses or disengage the model before secrets are emitted; MG.2.3 requires pre-defined mechanisms to supersede or deactivate AI behavior on such high-confidence credential-leak signals."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: credential-generation-elicitation

package/rules/model-abuse/ATR-2026-00284-glitch-token-destabilization.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/glitch.py"
     - "https://www.lesswrong.com/posts/aPeJE8bSo6rAFoLqg/solidgoldmagikarp-plus-prompt-generation"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Glitch token injection exploits tokenizer-level weaknesses to destabilize model safety filters and induce unstable behavior; MS.2.7 requires evaluating and documenting AI system security and resilience against such low-level adversarial inputs."
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: "Control characters, UTF-8 misencoding artifacts, and anomalous rare tokens cause models to hallucinate or fail to reproduce input accurately, directly impacting robustness and reliability that MS.2.5 mandates be evaluated."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Detection of known glitch token corpora (SolidGoldMagikarp, davidjl, ÃÂÃÂ patterns) characterizes the likelihood and magnitude of tokenizer-exploitation risks that MP.5.1 requires be identified and tracked."
+      strength: secondary
 tags:
   category: model-abuse
   subcategory: glitch-token-destabilization

package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/malwaregen.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Direct malware code generation requests are misuse attempts that materially affect the AI system's safety/security risk magnitude; MS.2.6 requires continuous evaluation of such safety/security risks, and each detection provides measurement evidence of harmful generation attempts."
+      strength: primary
+    - subcategory: "MG.4.1"
+      context: "Detecting unframed virus and malware sub-function requests at runtime feeds the post-deployment monitoring plans required by MG.4.1, ensuring abuse patterns sourced from probes like garak malwaregen are tracked across deployed models."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Cataloging direct malware code generation prompts (TSR, interrupt hooks, SAM/shadow access, privilege escalation across 8 languages) characterizes the likelihood and magnitude of model-abuse impact required by MP.5.1."
+      strength: secondary
 tags:
   category: model-abuse
   subcategory: malware-code-generation

package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml CHANGED Viewed

@@ -21,6 +21,17 @@ references:
     - ASI03 - Excessive Agency
 metadata_provenance:
   mitre_atlas: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.1.2"
+      context: "Rationalized safety control bypass undermines the accountability boundaries that define which APIs and controls an agent must use; GV.1.2 requires that assigned role boundaries are enforced even when agents construct efficiency-based justifications for circumventing them."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of bypass-rationalization language ('I'll use X directly instead of Y') triggers the risk treatment and deactivation pathways required by MG.2.3 before the agent executes unauthorized direct system access."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Self-justified safety control circumvention is an adversarial behavior pattern whose likelihood and impact must be characterized; MP.5.1 requires identifying these jailbreak-adjacent reasoning patterns as tracked risks."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: rationalized-bypass

package/rules/privilege-escalation/ATR-2026-00204-stealth-execution-persistence.yaml CHANGED Viewed

@@ -26,6 +26,20 @@ references:
     - "T1543 - Create or Modify System Process"
     - "T1036 - Masquerading"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of stealth execution, persistence installation, and covert file transfer triggers the supersede/disengage mechanisms required by MG.2.3 to halt the agent before long-term attacker presence is established on the compromised host.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Background process suppression, systemctl enable, and scp exfiltration patterns are security/resilience signals that MS.2.7 requires to be continuously evaluated and documented as evidence of post-exploitation activity through the AI agent.
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: >-
+        Stealth persistence techniques represent high-magnitude adversarial misuse of agent tool access; MP.5.1 requires characterizing the likelihood and impact of such post-exploitation risks within the agent's operational context.
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: stealth-persistence

package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
   cve:
     - CVE-2024-5184
     - CVE-2025-32711
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "System prompt override attempts are adversarial inputs that exploit the foundational instruction layer of LLM-based agents; MP.5.1 requires characterizing the likelihood and magnitude of these prompt injection risks, and this rule directly produces evidence by identifying override patterns including special tokens, role injection, and delimiter abuse."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of ChatML, Llama, Mistral, and Gemma special tokens plus XML/JSON/YAML system directive injection provides continuous security/resilience evaluation evidence required by MS.2.7, documenting attempts to subvert the agent's foundational behavior controls."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Successful system prompt override grants full control over agent behavior, so detection events must trigger the supersede/disengage mechanisms required by MG.2.3 to deactivate or quarantine the affected agent session before downstream unauthorized actions occur."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: system-prompt-override

package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml CHANGED Viewed

@@ -27,6 +27,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
     - "AML.T0043 - Craft Adversarial Data"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Multi-turn prompt injection is an adversarial input pattern that exploits conversational context and trust escalation to gradually manipulate the agent; MP.5.1 requires that the likelihood and magnitude of such staged adversarial attacks are characterized and tracked across turns."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting linguistic markers of trust-building, gaslighting, and progressive escalation provides continuous evidence for evaluating the agent's security and resilience against sophisticated prompt injection campaigns, as required by MS.2.7."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Identification of multi-turn injection patterns triggers risk treatment plans to disengage or interrupt the manipulated conversation before the attacker reaches the escalation payload; MG.2.3 mandates these response mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: multi-turn

package/rules/prompt-injection/ATR-2026-00080-encoding-evasion.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - AML.T0051
 metadata_provenance:
   owasp_llm: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Encoding-based evasion (base64, hex, Unicode escapes, Punycode, RTL overrides) directly tests the security and resilience of the AI system's input filtering pipeline; MS.2.7 requires that such adversarial bypass techniques are evaluated and documented as part of continuous security assessment."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Encoded prompt injection payloads are adversarial inputs whose likelihood and impact must be characterized as part of GenAI prompt-injection risk; MP.5.1 requires identifying and tracking these obfuscated attack vectors against the LLM."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of encoded override instructions triggers pre-defined risk treatment plans to block or sanitize the payload before it reaches the model; MG.2.3 mandates these containment mechanisms are in place to disengage malicious flows."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: encoding-evasion

package/rules/prompt-injection/ATR-2026-00081-semantic-multi-turn.yaml CHANGED Viewed

@@ -19,6 +19,20 @@ references:
     - AML.T0051
 metadata_provenance:
   owasp_llm: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Multi-turn semantic evasion is a prompt injection attack vector that directly tests AI system security and resilience against adversarial inputs that bypass pattern-based defenses; MS.2.7 requires continuous evaluation of security posture against such evasion techniques, and detection events feed that evaluation.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detecting callback references to planted instructions and multi-phase activation triggers provides ongoing measurement of safety/security risk magnitude as attackers adapt to evade regex defenses; MS.2.6 requires this risk magnitude be evaluated continuously across conversation turns.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        On detection of semantic evasion patterns, the system must be able to disengage or quarantine the affected session before the multi-turn payload completes; MG.2.3 mandates that such supersede/deactivate mechanisms are in place for adversarial prompt injection.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: semantic-evasion

package/rules/prompt-injection/ATR-2026-00082-fingerprint-evasion.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - AML.T0051
 metadata_provenance:
   owasp_llm: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MG.4.1"
+      context: "This rule directly supports post-deployment monitoring by detecting attempts to evade behavioral drift detection and fingerprinting systems; MG.4.1 requires that monitoring plans remain effective against adversaries who try to normalize anomalous behavior or gradually shift capabilities to avoid drift triggers."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Spoofing behavioral signatures and probing fingerprint detectors are resilience attacks against the security telemetry layer; MS.2.7 requires evaluating and documenting the system's ability to maintain integrity of its security/resilience controls under adversarial probing."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of fingerprint evasion patterns triggers risk treatment to deactivate or constrain agents whose behavior signatures cannot be trusted; MG.2.3 requires mechanisms to supersede or disengage AI systems when monitoring assurances are undermined."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: fingerprint-evasion

package/rules/prompt-injection/ATR-2026-00083-indirect-tool-injection.yaml CHANGED Viewed

@@ -19,6 +19,20 @@ references:
     - AML.T0051
 metadata_provenance:
   owasp_llm: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Indirect prompt injection via poisoned tool responses, API outputs, and retrieved content is a GenAI-specific adversarial input vector where hidden instructions exploit the agent's trust in external data sources; MP.5.1 requires identifying and characterizing the likelihood and impact of these injection risks across data ingestion paths.
+      strength: primary
+    - subcategory: "MG.3.1"
+      context: >-
+        Tool responses and retrieved content originate from third-party APIs, plugins, and data sources; detecting injection payloads in these flows directly supports MG.3.1's mandate to manage risks introduced by third-party entities feeding the AI system.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of instruction-override payloads, fake system delimiters, and role-reassignment content in tool outputs must trigger containment so the agent does not execute attacker-controlled actions; MG.2.3 requires these supersede/disengage mechanisms be available on detection.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: indirect-injection

package/rules/prompt-injection/ATR-2026-00084-structured-data-injection.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
 metadata_provenance:
   owasp_llm: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Structured data injection embeds adversarial prompts inside JSON, CSV, XML, or YAML field values to bypass text-pattern filters; MP.5.1 requires identifying and characterizing these adversarial input vectors that exploit format-parsing trust assumptions."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting injection payloads hidden in nested structured data evaluates the AI system's resilience against format-based evasion techniques; MS.2.7 requires that these security weaknesses in input handling are continuously evaluated and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on injection payloads inside structured data fields trigger risk treatment plans to quarantine or sanitize the input before it reaches the model; MG.2.3 requires these response mechanisms be defined and activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: structured-data-injection

package/rules/prompt-injection/ATR-2026-00085-audit-evasion.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - AML.T0051
 metadata_provenance:
   owasp_llm: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects prompt injection payloads engineered to bypass multi-layer audit and security pipelines, including instructions to skip checks or self-certify as trusted; MS.2.7 requires continuous evaluation of AI system security and resilience against such evasion attempts."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of audit-evasion payloads triggers pre-defined risk treatment to deactivate or quarantine the offending session before it bypasses downstream defense layers; MG.2.3 mandates that these supersede/disengage mechanisms exist and are activated on detection."
+      strength: secondary
+    - subcategory: "MS.2.6"
+      context: "Payloads that manipulate trust scores or claim to have passed audit layers represent active security risk indicators; MS.2.6 requires continuous evaluation of safety/security risk magnitude as these evasion techniques evolve."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: audit-evasion

package/rules/prompt-injection/ATR-2026-00086-visual-spoofing.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - AML.T0051
 metadata_provenance:
   owasp_llm: auto-generated
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "RTL overrides, Punycode domains, and homoglyph substitution are adversarial input patterns that disguise malicious prompts as benign text; MP.5.1 requires identifying and characterizing the likelihood and magnitude of these visual-spoofing prompt injection vectors."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of bidirectional control characters and mixed-script homoglyphs evidences continuous evaluation of the AI system's resilience against encoding-based prompt injection; MS.2.7 requires that such security/resilience assessments are documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on visual-spoofing payloads trigger risk treatment plans to quarantine or sanitize disguised inputs before the model acts on them; MG.2.3 mandates pre-defined response mechanisms for adversarial inputs."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: visual-spoofing