Skip to content

Hide Navigation Hide TOC

Unauthorized Tool Call Detection - ATR-2026-00012 (cf43f1f6-6e13-5c9d-9bc0-d4fb23eb6411)

Detects unauthorized or malicious tool call attempts including parameter injection, path traversal, shell injection in string parameters, privilege escalation via parameter manipulation, tool enumeration/discovery, SQL injection in tool arguments, LDAP injection, template injection, environment variable extraction, file operation abuse, and serialization attacks. This rule focuses on parameter-level attacks rather than tool name matching, since tool names are easily changed but injection patterns in arguments are structurally consistent across attack variants.

Cluster A Galaxy A Cluster B Galaxy B Level
LLM Plugin Compromise (adbb0dd5-ff66-4b2f-869f-bfb3fdb45fc8) MITRE ATLAS Attack Pattern Unauthorized Tool Call Detection - ATR-2026-00012 (cf43f1f6-6e13-5c9d-9bc0-d4fb23eb6411) Agent Threat Rules 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Unauthorized Tool Call Detection - ATR-2026-00012 (cf43f1f6-6e13-5c9d-9bc0-d4fb23eb6411) Agent Threat Rules 1
Unauthorized Tool Call Detection - ATR-2026-00012 (cf43f1f6-6e13-5c9d-9bc0-d4fb23eb6411) Agent Threat Rules Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1