agent-threat-rules 3.4.0 → 3.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -0
- package/dist/cli.js +23 -0
- package/dist/cli.js.map +1 -1
- package/dist/engine.d.ts +37 -2
- package/dist/engine.d.ts.map +1 -1
- package/dist/engine.js +99 -44
- package/dist/engine.js.map +1 -1
- package/dist/loader.d.ts.map +1 -1
- package/dist/loader.js +6 -0
- package/dist/loader.js.map +1 -1
- package/dist/quality/rule-contract.d.ts +65 -0
- package/dist/quality/rule-contract.d.ts.map +1 -0
- package/dist/quality/rule-contract.js +97 -0
- package/dist/quality/rule-contract.js.map +1 -0
- package/dist/trace-evaluator.d.ts.map +1 -1
- package/dist/trace-evaluator.js +58 -20
- package/dist/trace-evaluator.js.map +1 -1
- package/dist/types.d.ts +2 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml +2 -1
- package/rules/agent-manipulation/ATR-2026-00032-goal-hijacking.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00074-cross-agent-privilege-escalation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00076-inter-agent-message-spoofing.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00077-human-trust-exploitation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00117-agent-identity-spoofing.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00416-litellm-mcp-unauthenticated-server-registration.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00417-librechat-mcp-stdio-injection.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00418-weknora-mcp-config-rce.yaml +2 -2
- package/rules/agent-manipulation/ATR-2026-00430-nl-trust-escalation-impersonation.yaml +1 -1
- package/rules/agent-manipulation/ATR-2026-00552-goal-drift-after-pressure-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00075-agent-memory-manipulation.yaml +1 -0
- package/rules/context-exfiltration/ATR-2026-00162-skill-credential-exfil-combo.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00201-credential-pipe-exfiltration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00212-mcp-atlassian-credential-leak.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00405-markdown-image-url-exfiltration-xss.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00411-apikey-generation-completion-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00422-nl-credential-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00423-nl-sensitive-file-disclosure.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00426-nl-output-injection-credential-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00449-spring-ai-chatmemory-cross-user-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00471-garak-sysprompt-extraction-mixedunassigned.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00501-data-exfiltration-via-markdown-image-and-link-url-injection.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00504-tool-and-function-capability-enumeration.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00505-system-prompt-extraction-instruction-dump-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00514-system-prompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00516-output-xss-via-llm.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00524-claude-code-anthropic-base-url-credential-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00706-ipi-physical-biometric-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00850-indirect-pi-credential-exfil-email.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00851-indirect-pi-financial-payment-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00852-indirect-pi-medical-record-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00853-indirect-pi-genetic-data-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00854-indirect-pi-location-data-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00855-indirect-pi-browsing-history-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00856-indirect-pi-address-pii-exfil.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-00857-indirect-pi-cloud-file-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00858-indirect-pi-exfil-and-destroy.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00859-rag-injected-pii-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00860-indirect-pi-financial-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00861-indirect-pi-crypto-transfer-hijack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-00862-indirect-pi-mfa-code-exfil.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01453-markdown-image-base64-exfil-carrier.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01454-direct-markdown-exfil-payload.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01456-debug-cli-mode-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01457-sysprompt-completion-clone-attack.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01458-compare-bots-sysprompt-fishing.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01459-variable-clone-sysprompt-technique.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01460-json-format-sysprompt-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01461-foreign-language-sysprompt-request.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01753-ransom-email-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01754-ransom-file-cloud-exfil-delete-extortion.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01770-semantic-pii-credential-extraction.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01772-semantic-internal-state-recon.yaml +2 -2
- package/rules/context-exfiltration/ATR-2026-01807-asb-bulk-data-exfil-external.yaml +1 -1
- package/rules/context-exfiltration/ATR-2026-01929-mcp-unauthenticated-transport-token-fallback.yaml +188 -0
- package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml +1 -1
- package/rules/data-poisoning/ATR-2026-01774-semantic-rag-memory-poisoning.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml +3 -3
- package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml +2 -2
- package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00711-ipi-system-sabotage-destructive-command.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00712-ipi-malicious-package-install.yaml +1 -1
- package/rules/excessive-autonomy/ATR-2026-00713-ipi-rce-network-shell-command.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml +3 -2
- package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml +1 -1
- package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml +1 -1
- package/rules/model-abuse/ATR-2026-01750-dos-repeat-word-n-times-output-amplification.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01760-dos-forced-infinite-output-token-flood.yaml +2 -2
- package/rules/model-abuse/ATR-2026-01841-deepfake-disinformation.yaml +1 -1
- package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml +2 -2
- package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml +1 -1
- package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml +2 -2
- package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml +1 -1
- package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml +2 -3
- package/rules/privilege-escalation/ATR-2026-01615-sandbox-escape-command-injection.yaml +1 -0
- package/rules/privilege-escalation/ATR-2026-01899-remote-access-backdoor.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml +11 -2
- package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml +10 -10
- package/rules/prompt-injection/ATR-2026-00297-python-code-execution-rce.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00397-snowball-impossible-reasoning-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00401-leakreplay-cloze-mask-training-data-elicitation.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00420-copilot-studio-sharepoint-indirect-injection.yaml +3 -3
- package/rules/prompt-injection/ATR-2026-00442-quoted-exact-output-forcing.yaml +1 -0
- package/rules/prompt-injection/ATR-2026-00445-translation-hijack-with-side-output.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00447-fictional-generation-containing-target.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00452-direct-pwned-payload-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00453-secret-key-reveal-demand.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00454-backslash-per-character-encoding.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00456-conditional-empty-input-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00465-garak-dan-your-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00472-garak-dan-are-going-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00485-garak-dan-and-does-not.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00492-garak-dan-want-you-to.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00495-garak-dan-insert-prompt-here.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00510-delayed-tool-invocation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00550-untrusted-retrieval-to-privileged-tool.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00579-mcp-tool-description-line-jumping-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-00584-indirect-injection-via-tool-response.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01018-evasion-shell-injection-eval.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01021-spikee-doc-embedded-translation-injection.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01304-indirect-injection-carrier-important-override.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01800-asb-trigger-marker-tool-coercion.yaml +1 -1
- package/rules/prompt-injection/ATR-2026-01901-output-scrambling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00061-description-behavior-mismatch.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00062-hidden-capability.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00063-skill-chain-attack.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00065-skill-update-attack.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +2 -1
- package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00149-skill-exfil-compound.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00151-fork-impersonation-install.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00200-agent-memory-config-tampering.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00214-credential-theft.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00260-package-hallucination.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00262-av-evasion-code-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00263-credential-file-read-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00266-malware-dropper-gen.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00398-huggingface-unsafe-model-artifact-load.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00425-nl-persistent-covert-hook.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00427-nl-fake-error-instruction-bypass.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00429-nl-skill-self-modification.yaml +2 -2
- package/rules/skill-compromise/ATR-2026-00523-claude-code-hooks-session-start-pre-trust-rce.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00525-mini-shai-hulud-gh-token-monitor-persistence.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-00527-skill-silent-git-remote-mirror-exfiltration.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01755-backdoor-pot-linguistic-trigger-phrase.yaml +1 -1
- package/rules/skill-compromise/ATR-2026-01756-backdoor-pot-symbol-emoticon-trigger.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00011-tool-output-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00012-unauthorized-tool-call.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00100-consent-bypass-instruction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00101-trust-escalation-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00103-hidden-safety-bypass-instruction.yaml +2 -1
- package/rules/tool-poisoning/ATR-2026-00105-silent-action-concealment.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00106-schema-description-contradiction.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00161-important-tag-cross-tool-shadowing.yaml +3 -2
- package/rules/tool-poisoning/ATR-2026-00209-mcpwn-runaway-invocation.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00210-flowise-system-message-override.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00415-flowise-custom-mcp-stdio-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00419-cursor-mcp-zero-click-config.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00434-mcp-remote-authorization-endpoint-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00435-azure-mcp-server-missing-authentication.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00494-garak-exploitation-mixedunassigned.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00513-package-hallucination-exploitation.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00521-shell-command-injection-agent-tool-context.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00522-sql-injection-natural-language-agent-interface.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00526-claude-code-shell-metachar-in-double-quoted-path.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00530-ms-agent-shell-tool-unsanitized-argv-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00531-praisonai-unauthenticated-agent-api.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00536-nginx-ui-mcp-unauthenticated-command-execution.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00537-fastmcp-server-name-cmd-injection-windows.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00538-langchain-chatchat-mcp-stdio-unauthenticated-rce.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00540-praisonai-parse-mcp-command-cli-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00543-litellm-mcp-server-argv-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00572-symjack-symlink-config-redirection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00575-miasma-npm-worm-agent-config-backdoor.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00576-hades-agent-credential-theft.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-00577-create-mcp-server-stdio-exec-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-00581-mcp-tool-rug-pull-post-approval-redefinition.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01300-mcp-notes-param-chat-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01301-tool-description-exclusive-tool-override.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01302-fake-tool-result-instruction-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01303-tool-schema-enumeration-social-engineering.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01306-mcp-oauth-command-injection.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01307-mcp-dns-rebinding-attack.yaml +1 -1
- package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01775-semantic-mcp-tool-manifest-poisoning.yaml +4 -3
- package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml +2 -2
- package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml +2 -2
- package/spec/mappings/atr-to-nist-csf-2.0.md +11 -11
|
@@ -29,7 +29,7 @@ references:
|
|
|
29
29
|
- "ASI09:2026 - Insufficient Sandboxing"
|
|
30
30
|
- "ASI04:2026 - Privilege Escalation via Agent"
|
|
31
31
|
mitre_atlas:
|
|
32
|
-
- "AML.T0051.001 - Indirect
|
|
32
|
+
- "AML.T0051.001 - Indirect"
|
|
33
33
|
cve:
|
|
34
34
|
- "DNS rebinding attack class — SSRF via DNS temporal binding"
|
|
35
35
|
|
package/rules/tool-poisoning/ATR-2026-01310-mcp-tool-description-compliance-history-exfil.yaml
CHANGED
|
@@ -29,8 +29,8 @@ references:
|
|
|
29
29
|
- "ASI03:2026 - Tool Misuse"
|
|
30
30
|
- "ASI08:2026 - Data Leakage via Agent Actions"
|
|
31
31
|
mitre_atlas:
|
|
32
|
-
- "AML.T0051.001 - Indirect
|
|
33
|
-
- "AML.T0053 -
|
|
32
|
+
- "AML.T0051.001 - Indirect"
|
|
33
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
34
34
|
|
|
35
35
|
compliance:
|
|
36
36
|
nist_ai_rmf:
|
|
@@ -41,9 +41,10 @@ references:
|
|
|
41
41
|
- "ASI03:2026 - Tool Misuse"
|
|
42
42
|
- "ASI02:2026 - Unauthorized Actions"
|
|
43
43
|
mitre_atlas:
|
|
44
|
-
- "AML.T0053 -
|
|
45
|
-
- "AML.T0019 - Publish Poisoned
|
|
46
|
-
- "AML.T0051.001 - Indirect
|
|
44
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
45
|
+
- "AML.T0019 - Publish Poisoned Datasets"
|
|
46
|
+
- "AML.T0051.001 - Indirect"
|
|
47
|
+
- "AML.T0110 - AI Agent Tool Poisoning"
|
|
47
48
|
|
|
48
49
|
compliance:
|
|
49
50
|
nist_ai_rmf:
|
package/rules/tool-poisoning/ATR-2026-01927-mcp-server-kubernetes-kubectl-command-injection.yaml
CHANGED
|
@@ -24,8 +24,8 @@ references:
|
|
|
24
24
|
- "ASI02:2026 - Tool Misuse and Exploitation"
|
|
25
25
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
26
26
|
mitre_atlas:
|
|
27
|
-
- "AML.T0053 -
|
|
28
|
-
- "AML.T0051.001 - Indirect
|
|
27
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
28
|
+
- "AML.T0051.001 - Indirect"
|
|
29
29
|
cve:
|
|
30
30
|
- CVE-2025-53355
|
|
31
31
|
cwe:
|
package/rules/tool-poisoning/ATR-2026-01928-framelink-figma-mcp-curl-fallback-command-injection.yaml
CHANGED
|
@@ -25,8 +25,8 @@ references:
|
|
|
25
25
|
- "ASI02:2026 - Tool Misuse and Exploitation"
|
|
26
26
|
- "ASI05:2026 - Unexpected Code Execution"
|
|
27
27
|
mitre_atlas:
|
|
28
|
-
- "AML.T0053 -
|
|
29
|
-
- "AML.T0051.001 - Indirect
|
|
28
|
+
- "AML.T0053 - AI Agent Tool Invocation"
|
|
29
|
+
- "AML.T0051.001 - Indirect"
|
|
30
30
|
cve:
|
|
31
31
|
- CVE-2025-53967
|
|
32
32
|
cwe:
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
# ATR → NIST Cybersecurity Framework 2.0 Mapping
|
|
2
2
|
|
|
3
|
-
Version: 1.
|
|
3
|
+
Version: 1.1.0
|
|
4
4
|
Status: Draft for NIST IR 8596 Informative Reference submission
|
|
5
|
-
Date: 2026-
|
|
5
|
+
Date: 2026-06-14
|
|
6
6
|
Editor: Adam Lin (林冠辛) <adam@agentthreatrule.org>
|
|
7
|
-
Mapped corpus: Agent Threat Rules v3.0
|
|
7
|
+
Mapped corpus: Agent Threat Rules v3.4.0 (651 rules / 10 categories; per data/stats.json 2026-06-14)
|
|
8
8
|
Reference framework: NIST CSF 2.0 (NIST CSWP 29, February 2024)
|
|
9
9
|
|
|
10
10
|
---
|
|
@@ -55,7 +55,7 @@ Each ATR detection method contributes primarily to one or two CSF Functions:
|
|
|
55
55
|
For each of the 10 ATR attack-class categories (SPEC.md §8), the table lists
|
|
56
56
|
the CSF 2.0 subcategories the rule corpus supplies evidence for.
|
|
57
57
|
|
|
58
|
-
### 4.1 prompt-injection (
|
|
58
|
+
### 4.1 prompt-injection (223 rules)
|
|
59
59
|
|
|
60
60
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
61
61
|
|---------------------|---------|--------------|------------------|
|
|
@@ -63,7 +63,7 @@ the CSF 2.0 subcategories the rule corpus supplies evidence for.
|
|
|
63
63
|
| DE.AE-02 | Potentially adverse events are analyzed to better understand associated activities | Each Rule's `detection.condition` produces a structured Match output (SPEC.md §7) with rule_id, severity, matched_selectors | All prompt-injection rules |
|
|
64
64
|
| PR.IR-01 | Networks and environments are protected from unauthorized logical access and usage | `response.actions: [block_input]` enforces preventive control when Pattern matches | ATR-2026-00001, -00440, -00441 |
|
|
65
65
|
|
|
66
|
-
### 4.2 tool-poisoning (
|
|
66
|
+
### 4.2 tool-poisoning (65 rules)
|
|
67
67
|
|
|
68
68
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
69
69
|
|---------------------|---------|--------------|------------------|
|
|
@@ -71,7 +71,7 @@ the CSF 2.0 subcategories the rule corpus supplies evidence for.
|
|
|
71
71
|
| ID.RA-08 | Processes for receiving, analyzing, and responding to vulnerabilities disclosed are established | CVE-mapped rules (CVE-2026-26030, CVE-2026-2275, CVE-2026-30617, ...) provide runtime detection for known tool-poisoning CVEs | ATR-2026-00529 (litellm SQL), -00538 (langchain-chatchat), -00543 (litellm MCP argv) |
|
|
72
72
|
| PR.IR-01 | Networks/environments protected from unauthorized access | `block_tool` action prevents tool execution when poisoned MCP message detected | All tool-poisoning rules with `block_tool` |
|
|
73
73
|
|
|
74
|
-
### 4.3 context-exfiltration (
|
|
74
|
+
### 4.3 context-exfiltration (103 rules)
|
|
75
75
|
|
|
76
76
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
77
77
|
|---------------------|---------|--------------|------------------|
|
|
@@ -87,7 +87,7 @@ the CSF 2.0 subcategories the rule corpus supplies evidence for.
|
|
|
87
87
|
| DE.AE-03 | Information is correlated from multiple sources | Trace rule 00552 correlates RETRIEVER / TOOL_RESPONSE pressure spans with AGENT goal-change spans | ATR-2026-00552 (goal drift, composite trace) |
|
|
88
88
|
| GV.RM-01 | Cybersecurity risk management strategy is established | Authorization for autonomous goal changes requires policy; trace rules surface deviations | ATR-2026-00552 |
|
|
89
89
|
|
|
90
|
-
### 4.5 privilege-escalation (
|
|
90
|
+
### 4.5 privilege-escalation (35 rules)
|
|
91
91
|
|
|
92
92
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
93
93
|
|---------------------|---------|--------------|------------------|
|
|
@@ -95,14 +95,14 @@ the CSF 2.0 subcategories the rule corpus supplies evidence for.
|
|
|
95
95
|
| PR.IR-01 | Unauthorized access protection | Cross-conversation memory write rule blocks tenant-boundary escapes | ATR-2026-00551 (forbid + cross-attribute, trace) |
|
|
96
96
|
| GV.PO-01 | Policy for managing cybersecurity risks is established | Rules surface destructive autonomy that policy did not authorize | ATR-2026-00549, -00551 |
|
|
97
97
|
|
|
98
|
-
### 4.6 excessive-autonomy (
|
|
98
|
+
### 4.6 excessive-autonomy (29 rules)
|
|
99
99
|
|
|
100
100
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
101
101
|
|---------------------|---------|--------------|------------------|
|
|
102
102
|
| GV.PO-01 | Policy for cybersecurity risks established | Rules detect runaway loops, resource exhaustion patterns | ATR-2026-00050, -00051 |
|
|
103
103
|
| DE.AE-02 | Adverse events analyzed | Behavioral-method rules (placeholder in v1.1) will use metric thresholds over windows | (behavioral plane, §7 placeholder) |
|
|
104
104
|
|
|
105
|
-
### 4.7 skill-compromise (
|
|
105
|
+
### 4.7 skill-compromise (45 rules)
|
|
106
106
|
|
|
107
107
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
108
108
|
|---------------------|---------|--------------|------------------|
|
|
@@ -110,7 +110,7 @@ the CSF 2.0 subcategories the rule corpus supplies evidence for.
|
|
|
110
110
|
| ID.AM-08 | Systems, hardware, software, services, and data are managed throughout their life cycle | Signature rules supply skill provenance binding | All signature-method rules in skill-compromise |
|
|
111
111
|
| DE.CM-09 | Computing software monitored | Static skill scan (`scan_target: skill`) on every SKILL.md ingest | ATR-2026-00451, -00452 |
|
|
112
112
|
|
|
113
|
-
### 4.8 model-abuse (
|
|
113
|
+
### 4.8 model-abuse (37 rules)
|
|
114
114
|
|
|
115
115
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
116
116
|
|---------------------|---------|--------------|------------------|
|
|
@@ -124,7 +124,7 @@ the CSF 2.0 subcategories the rule corpus supplies evidence for.
|
|
|
124
124
|
| PR.PS-04 | Log records are generated and made available for continuous monitoring | Model-security rules emit Match output for downstream SIEM consumption | ATR-2026-00433 (modelcache deserialization RCE) |
|
|
125
125
|
| ID.RA-08 | Vulnerability disclosure processes | CVE-mapped model-security rules | ATR-2026-00433 |
|
|
126
126
|
|
|
127
|
-
### 4.10 data-poisoning (
|
|
127
|
+
### 4.10 data-poisoning (5 rules)
|
|
128
128
|
|
|
129
129
|
| CSF 2.0 Subcategory | Outcome | ATR Evidence | Rules (examples) |
|
|
130
130
|
|---------------------|---------|--------------|------------------|
|