Skip to content

MITRE ATLAS Attack Pattern

MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems

Authors
Authors and/or Contributors
MITRE

Search for Victim's Publicly Available Research Materials

Adversaries may search publicly available research to learn how and where machine learning is used within a victim organization. The adversary can use this information to identify targets for attack, or to tailor an existing attack to make it more effective. Organizations often use open source model architectures trained on additional proprietary data in production. Knowledge of this underlying architecture allows the adversary to craft more realistic proxy models (Create Proxy ML Model). An adversary can search these resources for publications for authors employed at the victim organization.

Research materials may exist as academic papers published in Journals and Conference Proceedings, or stored in Pre-Print Repositories, as well as Technical Blogs.

Internal MISP references

UUID 229ead06-da1e-443c-8ff1-e57a3ae0eb61 which can be used as unique global reference for Search for Victim's Publicly Available Research Materials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0000
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']

Journals and Conference Proceedings

Many of the publications accepted at premier machine learning conferences and journals come from commercial labs. Some journals and conferences are open access, others may require paying for access or a membership. These publications will often describe in detail all aspects of a particular approach for reproducibility. This information can be used by adversaries to implement the paper.

Internal MISP references

UUID 40792e08-d972-4af8-8eee-d6d6dc96d106 which can be used as unique global reference for Journals and Conference Proceedings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0000.000
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Pre-Print Repositories

Pre-Print repositories, such as arXiv, contain the latest academic research papers that haven't been peer reviewed. They may contain research notes, or technical reports that aren't typically published in journals or conference proceedings. Pre-print repositories also serve as a central location to share papers that have been accepted to journals. Searching pre-print repositories provide adversaries with a relatively up-to-date view of what researchers in the victim organization are working on.

Internal MISP references

UUID cb1bd497-e068-4b72-85af-626ab2f80e1d which can be used as unique global reference for Pre-Print Repositories in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0000.001
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Technical Blogs

Research labs at academic institutions and Company R&D divisions often have blogs that highlight their use of machine learning and its application to the organizations unique problems. Individual researchers also frequently document their work in blogposts. An adversary may search for posts made by the target victim organization or its employees. In comparison to Journals and Conference Proceedings and Pre-Print Repositories this material will often contain more practical aspects of the machine learning system. This could include underlying technologies and frameworks used, and possibly some information about the API access and use case. This will help the adversary better understand how that organization is using machine learning internally and the details of their approach that could aid in tailoring an attack.

Internal MISP references

UUID 0aac198b-3d5e-40ff-9460-290035d67717 which can be used as unique global reference for Technical Blogs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0000.002
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Search for Publicly Available Adversarial Vulnerability Analysis

Much like the Search for Victim's Publicly Available Research Materials, there is often ample research available on the vulnerabilities of common models. Once a target has been identified, an adversary will likely try to identify any pre-existing work that has been done for this class of models. This will include not only reading academic papers that may identify the particulars of a successful attack, but also identifying pre-existing implementations of those attacks. The adversary may Adversarial ML Attack Implementations or Adversarial ML Attacks their own if necessary.

Internal MISP references

UUID 4f8b3c84-acb4-42aa-b059-103ab52498ad which can be used as unique global reference for Search for Publicly Available Adversarial Vulnerability Analysis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0001
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']

Acquire Public ML Artifacts

Adversaries may search public sources, including cloud storage, public-facing services, and software or data repositories, to identify machine learning artifacts. These machine learning artifacts may include the software stack used to train and deploy models, training and testing data, model configurations and parameters. An adversary will be particularly interested in artifacts hosted by or associated with the victim organization as they may represent what that organization uses in a production environment. Adversaries may identify artifact repositories via other resources associated with the victim organization (e.g. Search Victim-Owned Websites or Search for Victim's Publicly Available Research Materials). These ML artifacts often provide adversaries with details of the ML task and approach.

ML artifacts can aid in an adversary's ability to Create Proxy ML Model. If these artifacts include pieces of the actual model in production, they can be used to directly Craft Adversarial Data. Acquiring some artifacts requires registration (providing user details such email/name), AWS keys, or written requests, and may require the adversary to Establish Accounts.

Artifacts might be hosted on victim-controlled infrastructure, providing the victim with some information on who has accessed that data.

Internal MISP references

UUID b41c38e9-80ca-421e-85c3-064440e12834 which can be used as unique global reference for Acquire Public ML Artifacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0002
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']

Datasets

Adversaries may collect public datasets to use in their operations. Datasets used by the victim organization or datasets that are representative of the data used by the victim organization may be valuable to adversaries. Datasets can be stored in cloud storage, or on victim-owned websites. Some datasets require the adversary to Establish Accounts for access.

Acquired datasets help the adversary advance their operations, stage attacks, and tailor attacks to the victim organization.

Internal MISP references

UUID 6a7f4fc2-272b-4f86-b137-70fa3e239f58 which can be used as unique global reference for Datasets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0002.000
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Models

Adversaries may acquire public models to use in their operations. Adversaries may seek models used by the victim organization or models that are representative of those used by the victim organization. Representative models may include model architectures, or pre-trained models which define the architecture as well as model parameters from training on a dataset. The adversary may search public sources for common model architecture configuration file formats such as YAML or Python configuration files, and common model storage file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth), or TensorFlow (.pb, .tflite).

Acquired models are useful in advancing the adversary's operations and are frequently used to tailor attacks to the victim model.

Internal MISP references

UUID 292ebe33-addc-4fe7-b2a9-4856293c4c96 which can be used as unique global reference for Models in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0002.001
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Search Victim-Owned Websites

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain technical details about their ML-enabled products or services. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships.

Adversaries may search victim-owned websites to gather actionable information. This information may help adversaries tailor their attacks (e.g. Adversarial ML Attacks or Manual Modification). Information from these sources may reveal opportunities for other forms of reconnaissance (e.g. Search for Victim's Publicly Available Research Materials or Search for Publicly Available Adversarial Vulnerability Analysis)

Internal MISP references

UUID d93b2175-90a8-4250-821f-dcc3bbbe194c which can be used as unique global reference for Search Victim-Owned Websites in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0003
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']

Search Application Repositories

Adversaries may search open application repositories during targeting. Examples of these include Google Play, the iOS App store, the macOS App Store, and the Microsoft Store.

Adversaries may craft search queries seeking applications that contain a ML-enabled components. Frequently, the next step is to Acquire Public ML Artifacts.

Internal MISP references

UUID f662d072-38ee-4399-bdbb-b2f5ccfed446 which can be used as unique global reference for Search Application Repositories in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0004
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']

Create Proxy ML Model

Adversaries may obtain models to serve as proxies for the target model in use at the victim organization. Proxy models are used to simulate complete access to the target model in a fully offline manner.

Adversaries may train models from representative datasets, attempt to replicate models from victim inference APIs, or use available pre-trained models.

Internal MISP references

UUID 12887d43-f8b6-4191-adab-d1728687f951 which can be used as unique global reference for Create Proxy ML Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0005
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']

Train Proxy via Gathered ML Artifacts

Proxy models may be trained from ML artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary. This can be used to develop attacks that require higher levels of access than the adversary has available or as a means to validate pre-existing attacks without interacting with the target model.

Internal MISP references

UUID a40d6631-9042-4ba2-8a5b-5bd162ffb4bc which can be used as unique global reference for Train Proxy via Gathered ML Artifacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0005.000
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Train Proxy via Replication

Adversaries may replicate a private model. By repeatedly querying the victim's ML Model Inference API Access, the adversary can collect the target model's inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.

A replicated model that closely mimic's the target model is a valuable resource in staging the attack. The adversary can use the replicated model to Craft Adversarial Data for various purposes (e.g. Evade ML Model, Spamming ML System with Chaff Data).

Internal MISP references

UUID 042e340a-ea50-46f7-a2bc-70bbad949313 which can be used as unique global reference for Train Proxy via Replication in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0005.001
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Use Pre-Trained Model

Adversaries may use an off-the-shelf pre-trained model as a proxy for the victim model to aid in staging the attack.

Internal MISP references

UUID 7e8bff1e-af7d-4ace-829c-2b561b47e49d which can be used as unique global reference for Use Pre-Trained Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0005.002
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Active Scanning

An adversary may probe or scan the victim system to gather information for targeting. This is distinct from other reconnaissance techniques that do not involve direct interaction with the victim system.

Internal MISP references

UUID c5573b25-a257-43f9-912a-26e3cccb0c33 which can be used as unique global reference for Active Scanning in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0006
kill_chain ['mitre-atlas:reconnaissance']
mitre_platforms ['ATLAS']

Discover ML Artifacts

Adversaries may search private sources to identify machine learning artifacts that exist on the system and gather information about them. These artifacts can include the software stack used to train and deploy models, training and testing data management systems, container registries, software repositories, and model zoos.

This information can be used to identify targets for further collection, exfiltration, or disruption, and to tailor and improve attacks.

Internal MISP references

UUID 529fac49-5f88-4a3c-829f-eb50cb90bcf1 which can be used as unique global reference for Discover ML Artifacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0007
kill_chain ['mitre-atlas:discovery']
mitre_platforms ['ATLAS']

Acquire Infrastructure

Adversaries may buy, lease, or rent infrastructure for use throughout their operation. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, mobile devices, and third-party web services. Free resources may also be used, but they are typically limited.

Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

Internal MISP references

UUID 98c59f3e-2e5e-41e1-b450-e34ab1627268 which can be used as unique global reference for Acquire Infrastructure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0008
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']

ML Development Workspaces

Developing and staging machine learning attacks often requires expensive compute resources. Adversaries may need access to one or many GPUs in order to develop an attack. They may try to anonymously use free resources such as Google Colaboratory, or cloud resources such as AWS, Azure, or Google Cloud as an efficient way to stand up temporary resources to conduct operations. Multiple workspaces may be used to avoid detection.

Internal MISP references

UUID 99441fbc-17c8-47dc-8bdc-1053952b4cbb which can be used as unique global reference for ML Development Workspaces in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0008.000
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Consumer Hardware

Adversaries may acquire consumer hardware to conduct their attacks. Owning the hardware provides the adversary with complete control of the environment. These devices can be hard to trace.

Internal MISP references

UUID 4c9375f7-5d39-4da5-beaa-edc8c143362f which can be used as unique global reference for Consumer Hardware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0008.001
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

ML Supply Chain Compromise

Adversaries may gain initial access to a system by compromising the unique portions of the ML supply chain. This could include GPU Hardware, Data and its annotations, parts of the ML ML Software stack, or the Model itself. In some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.

Internal MISP references

UUID b6697dbf-3e3f-41ce-a212-361d1c0ca0e9 which can be used as unique global reference for ML Supply Chain Compromise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0010
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']

GPU Hardware

Most machine learning systems require access to certain specialized hardware, typically GPUs. Adversaries can target machine learning systems by specifically targeting the GPU supply chain.

Internal MISP references

UUID c2f30865-5e3b-4fee-a415-94909ed31156 which can be used as unique global reference for GPU Hardware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0010.000
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

ML Software

Most machine learning systems rely on a limited set of machine learning frameworks. An adversary could get access to a large number of machine learning systems through a comprise of one of their supply chains. Many machine learning projects also rely on other open source implementations of various algorithms. These can also be compromised in a targeted way to get access to specific systems.

Internal MISP references

UUID 4627c4e6-fb06-4bfa-add5-dc46e0043aff which can be used as unique global reference for ML Software in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0010.001
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Data

Data is a key vector of supply chain compromise for adversaries. Every machine learning project will require some form of data. Many rely on large open source datasets that are publicly available. An adversary could rely on compromising these sources of data. The malicious data could be a result of Poison Training Data or include traditional malware.

An adversary can also target private datasets in the labeling phase. The creation of private datasets will often require the hiring of outside labeling services. An adversary can poison a dataset by modifying the labels being generated by the labeling service.

Internal MISP references

UUID 666f4d33-1a62-4ad7-9bf9-6387cd3f1fd7 which can be used as unique global reference for Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0010.002
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Model

Machine learning systems often rely on open sourced models in various ways. Most commonly, the victim organization may be using these models for fine tuning. These models will be downloaded from an external source and then used as the base for the model as it is tuned on a smaller, private dataset. Loading models often requires executing some saved code in the form of a saved model file. These can be compromised with traditional malware, or through some adversarial machine learning techniques.

Internal MISP references

UUID 2792e1f0-3132-4876-878d-a900b8a40e7d which can be used as unique global reference for Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0010.003
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via ML Supply Chain Compromise. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.

Internal MISP references

UUID 5e8e4108-beb6-479a-a617-323d425e5d03 which can be used as unique global reference for User Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0011
kill_chain ['mitre-atlas:execution']
mitre_platforms ['ATLAS']

Unsafe ML Artifacts

Adversaries may develop unsafe ML artifacts that when executed have a deleterious effect. The adversary can use this technique to establish persistent access to systems. These models may be introduced via a ML Supply Chain Compromise.

Serialization of models is a popular technique for model storage, transfer, and loading. However, this format without proper checking presents an opportunity for code execution.

Internal MISP references

UUID d52b913b-808c-461d-8969-94cd5c9fe07b which can be used as unique global reference for Unsafe ML Artifacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0011.000
kill_chain ['mitre-atlas:execution']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Valid Accounts

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Credentials may take the form of usernames and passwords of individual user accounts or API keys that provide access to various ML resources and services.

Compromised credentials may provide access to additional ML artifacts and allow the adversary to perform Discover ML Artifacts. Compromised credentials may also grant and adversary increased privileges such as write access to ML artifacts used during development or production.

Internal MISP references

UUID dc5ed9cb-7484-4f6c-9434-f420f17b13a8 which can be used as unique global reference for Valid Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0012
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']

Discover ML Model Ontology

Adversaries may discover the ontology of a machine learning model's output space, for example, the types of objects a model can detect. The adversary may discovery the ontology by repeated queries to the model, forcing it to enumerate its output space. Or the ontology may be discovered in a configuration file or in documentation about the model.

The model ontology helps the adversary understand how the model is being used by the victim. It is useful to the adversary in creating targeted attacks.

Internal MISP references

UUID 65c5e3b8-9296-46a2-ae7d-1b68a79cbe54 which can be used as unique global reference for Discover ML Model Ontology in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0013
kill_chain ['mitre-atlas:discovery']
mitre_platforms ['ATLAS']

Discover ML Model Family

Adversaries may discover the general family of model. General information about the model may be revealed in documentation, or the adversary may used carefully constructed examples and analyze the model's responses to categorize it.

Knowledge of the model family can help the adversary identify means of attacking the model and help tailor the attack.

Internal MISP references

UUID 8a115a02-2b88-4a3e-9212-a39dc086320b which can be used as unique global reference for Discover ML Model Family in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0014
kill_chain ['mitre-atlas:discovery']
mitre_platforms ['ATLAS']

Evade ML Model

Adversaries can Craft Adversarial Data that prevent a machine learning model from correctly identifying the contents of the data. This technique can be used to evade a downstream task where machine learning is utilized. The adversary may evade machine learning based virus/malware detection, or network scanning towards the goal of a traditional cyber attack.

Internal MISP references

UUID bb747632-d988-45ff-9cb3-97d827b4d9db which can be used as unique global reference for Evade ML Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0015
kill_chain ['mitre-atlas:initial-access', 'mitre-atlas:defense-evasion', 'mitre-atlas:impact']
mitre_platforms ['ATLAS']

Obtain Capabilities

Adversaries may search for and obtain software capabilities for use in their operations. Capabilities may be specific to ML-based attacks Adversarial ML Attack Implementations or generic software tools repurposed for malicious intent (Software Tools). In both instances, an adversary may modify or customize the capability to aid in targeting a particular ML system.

Internal MISP references

UUID 41dba0ab-b7bf-40b6-ac47-61dbfa16a53d which can be used as unique global reference for Obtain Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0016
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']

Adversarial ML Attack Implementations

Adversaries may search for existing open source implementations of machine learning attacks. The research community often publishes their code for reproducibility and to further future research. Libraries intended for research purposes, such as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized by an adversary. Adversaries may also obtain and use tools that were not originally designed for adversarial ML attacks as part of their attack.

Internal MISP references

UUID 60a9f8e3-50fa-4dfd-8cc6-1598ce48abe3 which can be used as unique global reference for Adversarial ML Attack Implementations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0016.000
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Software Tools

Adversaries may search for and obtain software tools to support their operations. Software designed for legitimate use may be repurposed by an adversary for malicious intent. An adversary may modify or customize software tools to achieve their purpose. Software tools used to support attacks on ML systems are not necessarily ML-based themselves.

Internal MISP references

UUID 3b1eeb78-bf3e-4d30-a376-d3f6ba67bd7c which can be used as unique global reference for Software Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0016.001
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Develop Capabilities

Adversaries may develop their own capabilities to support operations. This process encompasses identifying requirements, building solutions, and deploying capabilities. Capabilities used to support attacks on ML systems are not necessarily ML-based themselves. Examples include setting up websites with adversarial information or creating Jupyter notebooks with obfuscated exfiltration code.

Internal MISP references

UUID b386c5b6-dbc8-429f-a771-c712e3f1227b which can be used as unique global reference for Develop Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0017
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']

Adversarial ML Attacks

Adversaries may develop their own adversarial attacks. They may leverage existing libraries as a starting point (Adversarial ML Attack Implementations). They may implement ideas described in public research papers or develop custom made attacks for the victim model.

Internal MISP references

UUID 70cf5726-5a5b-4114-8e54-991c17803422 which can be used as unique global reference for Adversarial ML Attacks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0017.000
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Backdoor ML Model

Adversaries may introduce a backdoor into a ML model. A backdoored model operates performs as expected under typical conditions, but will produce the adversary's desired output when a trigger is introduced to the input data. A backdoored model provides the adversary with a persistent artifact on the victim system. The embedded vulnerability is typically activated at a later time by data samples with an Insert Backdoor Trigger

Internal MISP references

UUID ccf956b4-329e-4de8-8ba2-e784d152e0cb which can be used as unique global reference for Backdoor ML Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0018
kill_chain ['mitre-atlas:persistence', 'mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']

Poison ML Model

Adversaries may introduce a backdoor by training the model poisoned data, or by interfering with its training process. The model learns to associate a adversary defined trigger with the adversary's desired output.

Internal MISP references

UUID 822cb1e2-f35f-4b35-a650-59b7770d4abc which can be used as unique global reference for Poison ML Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0018.000
kill_chain ['mitre-atlas:persistence', 'mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Inject Payload

Adversaries may introduce a backdoor into a model by injecting a payload into the model file. The payload detects the presence of the trigger and bypasses the model, instead producing the adversary's desired output.

Internal MISP references

UUID 68034561-a079-4052-9b64-427bfcff76ff which can be used as unique global reference for Inject Payload in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0018.001
kill_chain ['mitre-atlas:persistence', 'mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Publish Poisoned Datasets

Adversaries may Poison Training Data and publish it to a public location. The poisoned dataset may be a novel dataset or a poisoned variant of an existing open source dataset. This data may be introduced to a victim system via ML Supply Chain Compromise.

Internal MISP references

UUID 0799f2f2-1038-4391-ba1f-4117595db45a which can be used as unique global reference for Publish Poisoned Datasets in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0019
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']

Poison Training Data

Adversaries may attempt to poison datasets used by a ML model by modifying the underlying data or its labels. This allows the adversary to embed vulnerabilities in ML models trained on the data that may not be easily detectable. Data poisoning attacks may or may not require modifying the labels. The embedded vulnerability is activated at a later time by data samples with an Insert Backdoor Trigger

Poisoned data can be introduced via ML Supply Chain Compromise or the data may be poisoned after the adversary gains Initial Access to the system.

Internal MISP references

UUID 6945b742-f1d5-4a83-ba4a-d0e0de6620c3 which can be used as unique global reference for Poison Training Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0020
kill_chain ['mitre-atlas:resource-development', 'mitre-atlas:persistence']
mitre_platforms ['ATLAS']

Establish Accounts

Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in ML Attack Staging, or for victim impersonation.

Internal MISP references

UUID f1e017cd-d02c-4e33-a880-9e39c1e47621 which can be used as unique global reference for Establish Accounts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0021
kill_chain ['mitre-atlas:resource-development']
mitre_platforms ['ATLAS']

Exfiltration via ML Inference API

Adversaries may exfiltrate private information via ML Model Inference API Access. ML Models have been shown leak private information about their training data (e.g. Infer Training Data Membership, Invert ML Model). The model itself may also be extracted (Extract ML Model) for the purposes of ML Intellectual Property Theft.

Exfiltration of information relating to private training data raises privacy concerns. Private training data may include personally identifiable information, or other protected data.

Internal MISP references

UUID 3b829988-8bdb-4c4e-a4dd-500a3d3fd3e4 which can be used as unique global reference for Exfiltration via ML Inference API in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0024
kill_chain ['mitre-atlas:exfiltration']
mitre_platforms ['ATLAS']

Infer Training Data Membership

Adversaries may infer the membership of a data sample in its training set, which raises privacy concerns. Some strategies make use of a shadow model that could be obtained via Train Proxy via Replication, others use statistics of model prediction scores.

This can cause the victim model to leak private information, such as PII of those in the training set or other forms of protected IP.

Internal MISP references

UUID 83c5ba15-5312-4c7d-bbb4-f9c4f2c6ffca which can be used as unique global reference for Infer Training Data Membership in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0024.000
kill_chain ['mitre-atlas:exfiltration']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Invert ML Model

Machine learning models' training data could be reconstructed by exploiting the confidence scores that are available via an inference API. By querying the inference API strategically, adversaries can back out potentially private information embedded within the training data. This could lead to privacy violations if the attacker can reconstruct the data of sensitive features used in the algorithm.

Internal MISP references

UUID 569d6edd-0140-4ab2-97b1-3635d62f40cc which can be used as unique global reference for Invert ML Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0024.001
kill_chain ['mitre-atlas:exfiltration']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Extract ML Model

Adversaries may extract a functional copy of a private model. By repeatedly querying the victim's ML Model Inference API Access, the adversary can collect the target model's inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.

Adversaries may extract the model to avoid paying per query in a machine learning as a service setting. Model extraction is used for ML Intellectual Property Theft.

Internal MISP references

UUID b5d1fd4f-861f-43e0-b1ca-ee8a3b47f7e1 which can be used as unique global reference for Extract ML Model in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0024.002
kill_chain ['mitre-atlas:exfiltration']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Exfiltration via Cyber Means

Adversaries may exfiltrate ML artifacts or other information relevant to their goals via traditional cyber means.

See the ATT&CK Exfiltration tactic for more information.

Internal MISP references

UUID 481486ed-846c-43ce-931b-86b8a18556b0 which can be used as unique global reference for Exfiltration via Cyber Means in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0025
kill_chain ['mitre-atlas:exfiltration']
mitre_platforms ['ATLAS']

Denial of ML Service

Adversaries may target machine learning systems with a flood of requests for the purpose of degrading or shutting down the service. Since many machine learning systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded. Adversaries can intentionally craft inputs that require heavy amounts of useless compute from the machine learning system.

Internal MISP references

UUID 1cc7f877-cb60-419a-bd1e-32b704b534d0 which can be used as unique global reference for Denial of ML Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0029
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']

Erode ML Model Integrity

Adversaries may degrade the target model's performance with adversarial data inputs to erode confidence in the system over time. This can lead to the victim organization wasting time and money both attempting to fix the system and performing the tasks it was meant to automate by hand.

Internal MISP references

UUID 8bcf7648-2683-421d-b623-bc539de59cb3 which can be used as unique global reference for Erode ML Model Integrity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0031
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']

Cost Harvesting

Adversaries may target different machine learning services to send useless queries or computationally expensive inputs to increase the cost of running services at the victim organization. Sponge examples are a particular type of adversarial data designed to maximize energy consumption and thus operating cost.

Internal MISP references

UUID ba5645e5-d1ab-4f1f-8b82-cb0792543fa8 which can be used as unique global reference for Cost Harvesting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0034
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']

ML Artifact Collection

Adversaries may collect ML artifacts for Exfiltration or for use in ML Attack Staging. ML artifacts include models and datasets as well as other telemetry data produced when interacting with a model.

Internal MISP references

UUID b67fc223-fecf-4ee6-9de7-9392d9f04060 which can be used as unique global reference for ML Artifact Collection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0035
kill_chain ['mitre-atlas:collection']
mitre_platforms ['ATLAS']

Data from Information Repositories

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include Sharepoint, Confluence, and enterprise databases such as SQL Server.

Internal MISP references

UUID 512fc1dc-d52b-483d-8bac-4f7034b9e407 which can be used as unique global reference for Data from Information Repositories in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0036
kill_chain ['mitre-atlas:collection']
mitre_platforms ['ATLAS']

Data from Local System

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

This can include basic fingerprinting information and sensitive data such as ssh keys.

Internal MISP references

UUID 1f1b53cf-c34f-48d2-b9f2-32074392e4a8 which can be used as unique global reference for Data from Local System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0037
kill_chain ['mitre-atlas:collection']
mitre_platforms ['ATLAS']

ML Model Inference API Access

Adversaries may gain access to a model via legitimate access to the inference API. Inference API access can be a source of information to the adversary (Discover ML Model Ontology, Discover ML Model Family), a means of staging the attack (Verify Attack, Craft Adversarial Data), or for introducing data to the target system for Impact (Evade ML Model, Erode ML Model Integrity).

Internal MISP references

UUID a5d2ba8c-0319-4c14-9831-f5b708c8863d which can be used as unique global reference for ML Model Inference API Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0040
kill_chain ['mitre-atlas:ml-model-access']
mitre_platforms ['ATLAS']

Physical Environment Access

In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks. If the model is interacting with data collected from the real world in some way, the adversary can influence the model through access to wherever the data is being collected. By modifying the data in the collection process, the adversary can perform modified versions of attacks designed for digital access.

Internal MISP references

UUID e0958449-a880-4410-bbb1-fa102030a883 which can be used as unique global reference for Physical Environment Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0041
kill_chain ['mitre-atlas:ml-model-access']
mitre_platforms ['ATLAS']

Verify Attack

Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model. This gives the adversary confidence that their approach works and allows them to carry out the attack at a later time of their choosing. The adversary may verify the attack once but use it against many edge devices running copies of the target model. The adversary may verify their attack digitally, then deploy it in the Physical Environment Access at a later time. Verifying the attack may be hard to detect since the adversary can use a minimal number of queries or an offline copy of the model.

Internal MISP references

UUID 466f70e5-5b63-42ae-8dab-f54e0a928d55 which can be used as unique global reference for Verify Attack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0042
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']

Craft Adversarial Data

Adversarial data are inputs to a machine learning model that have been modified such that they cause the adversary's desired effect in the target model. Effects can range from misclassification, to missed detections, to maximising energy consumption. Typically, the modification is constrained in magnitude or location so that a human still perceives the data as if it were unmodified, but human perceptibility may not always be a concern depending on the adversary's intended effect. For example, an adversarial input for an image classification task is an image the machine learning model would misclassify, but a human would still recognize as containing the correct class.

Depending on the adversary's knowledge of and access to the target model, the adversary may use different classes of algorithms to develop the adversarial example such as White-Box Optimization, Black-Box Optimization, Black-Box Transfer, or Manual Modification.

The adversary may Verify Attack their approach works if they have white-box or inference API access to the model. This allows the adversary to gain confidence their attack is effective "live" environment where their attack may be noticed. They can then use the attack at a later time to accomplish their goals. An adversary may optimize adversarial examples for Evade ML Model, or to Erode ML Model Integrity.

Internal MISP references

UUID 8f7394cf-d0e4-4187-85c7-d278f77a9a09 which can be used as unique global reference for Craft Adversarial Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0043
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']

White-Box Optimization

In White-Box Optimization, the adversary has full access to the target model and optimizes the adversarial example directly. Adversarial examples trained in this manor are most effective against the target model.

Internal MISP references

UUID 51c95da5-d7f1-4b57-9229-869b80305b37 which can be used as unique global reference for White-Box Optimization in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0043.000
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Black-Box Optimization

In Black-Box attacks, the adversary has black-box (i.e. ML Model Inference API Access via API access) access to the target model. With black-box attacks, the adversary may be using an API that the victim is monitoring. These attacks are generally less effective and require more inferences than White-Box Optimization attacks, but they require much less access.

Internal MISP references

UUID 79cdc11c-2ca9-4a6a-96a0-18bd84943086 which can be used as unique global reference for Black-Box Optimization in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0043.001
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Black-Box Transfer

In Black-Box Transfer attacks, the adversary uses one or more proxy models (trained via Create Proxy ML Model or Train Proxy via Replication) models they have full access to and are representative of the target model. The adversary uses White-Box Optimization on the proxy models to generate adversarial examples. If the set of proxy models are close enough to the target model, the adversarial example should generalize from one to another. This means that an attack that works for the proxy models will likely then work for the target model. If the adversary has ML Model Inference API Access, they may use this Verify Attack that the attack is working and incorporate that information into their training process.

Internal MISP references

UUID a109f272-a57b-4c85-896d-0429af301e21 which can be used as unique global reference for Black-Box Transfer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0043.002
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Manual Modification

Adversaries may manually modify the input data to craft adversarial data. They may use their knowledge of the target model to modify parts of the data they suspect helps the model in performing its task. The adversary may use trial and error until they are able to verify they have a working adversarial input.

Internal MISP references

UUID 5f80868c-5996-4730-9326-f1c8a8630c5e which can be used as unique global reference for Manual Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0043.003
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Insert Backdoor Trigger

The adversary may add a perceptual trigger into inference data. The trigger may be imperceptible or non-obvious to humans. This technique is used in conjunction with Poison ML Model and allows the adversary to produce their desired effect in the target model.

Internal MISP references

UUID 4b86b97e-648e-44f9-8d2c-5c5557062f3e which can be used as unique global reference for Insert Backdoor Trigger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0043.004
kill_chain ['mitre-atlas:ml-attack-staging']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Full ML Model Access

Adversaries may gain full "white-box" access to a machine learning model. This means the adversary has complete knowledge of the model architecture, its parameters, and class ontology. They may exfiltrate the model to Craft Adversarial Data and Verify Attack in an offline where it is hard to detect their behavior.

Internal MISP references

UUID afcd723a-e5ff-4c09-8f72-fe16f7345af7 which can be used as unique global reference for Full ML Model Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0044
kill_chain ['mitre-atlas:ml-model-access']
mitre_platforms ['ATLAS']

Spamming ML System with Chaff Data

Adversaries may spam the machine learning system with chaff data that causes increase in the number of detections. This can cause analysts at the victim organization to waste time reviewing and correcting incorrect inferences.

Internal MISP references

UUID 3247b43f-1888-4158-b3da-5b7c7dfaa4e2 which can be used as unique global reference for Spamming ML System with Chaff Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0046
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']

ML-Enabled Product or Service

Adversaries may use a product or service that uses machine learning under the hood to gain access to the underlying machine learning model. This type of indirect model access may reveal details of the ML model or its inferences in logs or metadata.

Internal MISP references

UUID 0bab6cda-eb77-46b8-adfc-4274d0513c8f which can be used as unique global reference for ML-Enabled Product or Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0047
kill_chain ['mitre-atlas:ml-model-access']
mitre_platforms ['ATLAS']

External Harms

Adversaries may abuse their access to a victim system and use its resources or capabilities to further their goals by causing harms external to that system. These harms could affect the organization (e.g. Financial Harm, Reputational Harm), its users (e.g. User Harm), or the general public (e.g. Societal Harm).

Internal MISP references

UUID 0a648aab-7809-48b4-a505-cba29fa14c0c which can be used as unique global reference for External Harms in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0048
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']

Financial Harm

Financial harm involves the loss of wealth, property, or other monetary assets due to theft, fraud or forgery, or pressure to provide financial resources to the adversary.

Internal MISP references

UUID b8373cee-1dfb-4e37-8ea5-8d012b276ba7 which can be used as unique global reference for Financial Harm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0048.000
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Reputational Harm

Reputational harm involves a degradation of public perception and trust in organizations. Examples of reputation-harming incidents include scandals or false impersonations.

Internal MISP references

UUID 411ffbe6-e20e-468d-bdf6-01e9d549ff6a which can be used as unique global reference for Reputational Harm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0048.001
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Societal Harm

Societal harms might generate harmful outcomes that reach either the general public or specific vulnerable groups such as the exposure of children to vulgar content.

Internal MISP references

UUID 2de27d58-3e31-42fc-a52a-5c350ce5639f which can be used as unique global reference for Societal Harm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0048.002
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

User Harm

User harms may encompass a variety of harm types including financial and reputational that are directed at or felt by individual victims of the attack rather than at the organization level.

Internal MISP references

UUID a1e68129-6d82-4091-9324-bbf148a2228b which can be used as unique global reference for User Harm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0048.003
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

ML Intellectual Property Theft

Adversaries may exfiltrate ML artifacts to steal intellectual property and cause economic harm to the victim organization.

Proprietary training data is costly to collect and annotate and may be a target for Exfiltration and theft.

MLaaS providers charge for use of their API. An adversary who has stolen a model via Exfiltration or via Extract ML Model now has unlimited use of that service without paying the owner of the intellectual property.

Internal MISP references

UUID 0d002b6b-d006-4aab-a7f9-fa69f4a1e675 which can be used as unique global reference for ML Intellectual Property Theft in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0048.004
kill_chain ['mitre-atlas:impact']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

Internal MISP references

UUID 81da9310-0555-4f71-9840-40e3799c85da which can be used as unique global reference for Exploit Public-Facing Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0049
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']

Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.

Internal MISP references

UUID ac7bb2f4-0eef-4d42-b2ee-99810c855123 which can be used as unique global reference for Command and Scripting Interpreter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0050
kill_chain ['mitre-atlas:execution']
mitre_platforms ['ATLAS']

LLM Prompt Injection

An adversary may craft malicious prompts as inputs to an LLM that cause the LLM to act in unintended ways. These "prompt injections" are often designed to cause the model to ignore aspects of its original instructions and follow the adversary's instructions instead.

Prompt Injections can be an initial access vector to the LLM that provides the adversary with a foothold to carry out other steps in their operation. They may be designed to bypass defenses in the LLM, or allow the adversary to issue privileged commands. The effects of a prompt injection can persist throughout an interactive session with an LLM.

Malicious prompts may be injected directly by the adversary (Direct) either to leverage the LLM to generate harmful content or to gain a foothold on the system and lead to further effects. Prompts may also be injected indirectly when as part of its normal operation the LLM ingests the malicious prompt from another data source (Indirect). This type of injection can be used by the adversary to a foothold on the system or to target the user of the LLM.

Internal MISP references

UUID 1511d7eb-cf6f-470f-b7fe-e001be2c2935 which can be used as unique global reference for LLM Prompt Injection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0051
kill_chain ['mitre-atlas:initial-access', 'mitre-atlas:persistence', 'mitre-atlas:privilege-escalation', 'mitre-atlas:defense-evasion']
mitre_platforms ['ATLAS']

Direct

An adversary may inject prompts directly as a user of the LLM. This type of injection may be used by the adversary to gain a foothold in the system or to misuse the LLM itself, as for example to generate harmful content.

Internal MISP references

UUID 9dc349e9-745e-4bb0-9f95-9c9c598045ac which can be used as unique global reference for Direct in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0051.000
kill_chain ['mitre-atlas:initial-access', 'mitre-atlas:persistence', 'mitre-atlas:privilege-escalation', 'mitre-atlas:defense-evasion']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Indirect

An adversary may inject prompts indirectly via separate data channel ingested by the LLM such as include text or multimedia pulled from databases or websites. These malicious prompts may be hidden or obfuscated from the user. This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system.

Internal MISP references

UUID eeb15ef7-70f9-45b1-8ce9-07d20ee9258a which can be used as unique global reference for Indirect in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0051.001
kill_chain ['mitre-atlas:initial-access', 'mitre-atlas:persistence', 'mitre-atlas:privilege-escalation', 'mitre-atlas:defense-evasion']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Generative AI, including LLMs that generate synthetic text, visual deepfakes of faces, and audio deepfakes of speech, is enabling adversaries to scale targeted phishing campaigns. LLMs can interact with users via text conversations and can be programmed with a meta prompt to phish for sensitive information. Deepfakes can be use in impersonation as an aid to phishing.

Internal MISP references

UUID b74030e3-0ee5-4c50-80ad-2393b3e1b161 which can be used as unique global reference for Phishing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0052
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']

Spearphishing via Social Engineering LLM

Adversaries may turn LLMs into targeted social engineers. LLMs are capable of interacting with users via text conversations. They can be instructed by an adversary to seek sensitive information from a user and act as effective social engineers. They can be targeted towards particular personas defined by the adversary. This allows adversaries to scale spearphishing efforts and target individuals to reveal private information such as credentials to privileged systems.

Internal MISP references

UUID ed847783-c732-4b52-b72e-e823a870c09c which can be used as unique global reference for Spearphishing via Social Engineering LLM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0052.000
kill_chain ['mitre-atlas:initial-access']
mitre_platforms ['ATLAS']
Related clusters

To see the related clusters, click here.

LLM Plugin Compromise

Adversaries may use their access to an LLM that is part of a larger system to compromise connected plugins. LLMs are often connected to other services or resources via plugins to increase their capabilities. Plugins may include integrations with other applications, access to public or private data sources, and the ability to execute code.

This may allow adversaries to execute API calls to integrated applications or plugins, providing the adversary with increased privileges on the system. Adversaries may take advantage of connected data sources to retrieve sensitive information. They may also use an LLM integrated with a command or script interpreter to execute arbitrary instructions.

Internal MISP references

UUID 9800daea-8512-48fe-a8a6-addf4e4472c3 which can be used as unique global reference for LLM Plugin Compromise in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0053
kill_chain ['mitre-atlas:execution', 'mitre-atlas:privilege-escalation']
mitre_platforms ['ATLAS']

LLM Jailbreak

An adversary may use a carefully crafted LLM Prompt Injection designed to place LLM in a state in which it will freely respond to any user input, bypassing any controls, restrictions, or guardrails placed on the LLM. Once successfully jailbroken, the LLM can be used in unintended ways by the adversary.

Internal MISP references

UUID 151214d2-2f04-474a-90a7-d0645dee2cbe which can be used as unique global reference for LLM Jailbreak in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0054
kill_chain ['mitre-atlas:privilege-escalation', 'mitre-atlas:defense-evasion']
mitre_platforms ['ATLAS']

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. bash history), environment variables, operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. private keys).

Internal MISP references

UUID dd3e5970-2a1c-44b7-a94b-566a2a09dfb5 which can be used as unique global reference for Unsecured Credentials in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0055
kill_chain ['mitre-atlas:credential-access']
mitre_platforms ['ATLAS']

LLM Meta Prompt Extraction

An adversary may induce an LLM to reveal its initial instructions, or "meta prompt." Discovering the meta prompt can inform the adversary about the internal workings of the system. Prompt engineering is an emerging field that requires expertise and exfiltrating the meta prompt can prompt in order to steal valuable intellectual property.

Internal MISP references

UUID 3c248560-8041-48cc-8948-2c6815afe236 which can be used as unique global reference for LLM Meta Prompt Extraction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0056
kill_chain ['mitre-atlas:discovery', 'mitre-atlas:exfiltration']
mitre_platforms ['ATLAS']

LLM Data Leakage

Adversaries may craft prompts that induce the LLM to leak sensitive information. This can include private user data or proprietary information. The leaked information may come from proprietary training data, data sources the LLM is connected to, or information from other users of the LLM.

Internal MISP references

UUID 3dc95dea-7507-447f-8ab5-e10beadaf606 which can be used as unique global reference for LLM Data Leakage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id AML.T0057
kill_chain ['mitre-atlas:exfiltration']
mitre_platforms ['ATLAS']