forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathATLAS.yaml
More file actions
7116 lines (6330 loc) · 314 KB
/
Copy pathATLAS.yaml
File metadata and controls
7116 lines (6330 loc) · 314 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
id: ATLAS
name: Adversarial Threat Landscape for AI Systems
version: 5.1.0
matrices:
- id: ATLAS
name: ATLAS Matrix
tactics:
- id: AML.TA0002
name: Reconnaissance
description: 'The adversary is trying to gather information about the AI system
they can use to plan future operations.
Reconnaissance consists of techniques that involve adversaries actively or passively
gathering information that can be used to support targeting.
Such information may include details of the victim organizations'' AI capabilities
and research efforts.
This information can be leveraged by the adversary to aid in other phases of
the adversary lifecycle, such as using gathered information to obtain relevant
AI artifacts, targeting AI capabilities used by the victim, tailoring attacks
to the particular models used by the victim, or to drive and lead further Reconnaissance
efforts.'
object-type: tactic
ATT&CK-reference:
id: TA0043
url: https://attack.mitre.org/tactics/TA0043/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0003
name: Resource Development
description: 'The adversary is trying to establish resources they can use to support
operations.
Resource Development consists of techniques that involve adversaries creating,
purchasing, or compromising/stealing resources that can be used to support targeting.
Such resources include AI artifacts, infrastructure, accounts, or capabilities.
These resources can be leveraged by the adversary to aid in other phases of
the adversary lifecycle, such as [AI Attack Staging](/tactics/AML.TA0001).'
object-type: tactic
ATT&CK-reference:
id: TA0042
url: https://attack.mitre.org/tactics/TA0042/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0004
name: Initial Access
description: 'The adversary is trying to gain access to the AI system.
The target system could be a network, mobile device, or an edge device such
as a sensor platform.
The AI capabilities used by the system could be local with onboard or cloud-enabled
AI capabilities.
Initial Access consists of techniques that use various entry vectors to gain
their initial foothold within the system.'
object-type: tactic
ATT&CK-reference:
id: TA0001
url: https://attack.mitre.org/tactics/TA0001/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0000
name: AI Model Access
description: 'The adversary is attempting to gain some level of access to an AI
model.
AI Model Access enables techniques that use various types of access to the AI
model that can be used by the adversary to gain information, develop attacks,
and as a means to input data to the model.
The level of access can range from the full knowledge of the internals of the
model to access to the physical environment where data is collected for use
in the AI model.
The adversary may use varying levels of model access during the course of their
attack, from staging the attack to impacting the target system.
Access to an AI model may require access to the system housing the model, the
model may be publicly accessible via an API, or it may be accessed indirectly
via interaction with a product or service that utilizes AI as part of its processes.'
object-type: tactic
created_date: 2021-05-13
modified_date: 2025-10-13
- id: AML.TA0005
name: Execution
description: 'The adversary is trying to run malicious code embedded in AI artifacts
or software.
Execution consists of techniques that result in adversary-controlled code running
on a local or remote system.
Techniques that run malicious code are often paired with techniques from all
other tactics to achieve broader goals, like exploring a network or stealing
data.
For example, an adversary might use a remote access tool to run a PowerShell
script that does [Remote System Discovery](https://attack.mitre.org/techniques/T1018/).'
object-type: tactic
ATT&CK-reference:
id: TA0002
url: https://attack.mitre.org/tactics/TA0002/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0006
name: Persistence
description: 'The adversary is trying to maintain their foothold via AI artifacts
or software.
Persistence consists of techniques that adversaries use to keep access to systems
across restarts, changed credentials, and other interruptions that could cut
off their access.
Techniques used for persistence often involve leaving behind modified ML artifacts
such as poisoned training data or manipulated AI models.'
object-type: tactic
ATT&CK-reference:
id: TA0003
url: https://attack.mitre.org/tactics/TA0003/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0012
name: Privilege Escalation
description: 'The adversary is trying to gain higher-level permissions.
Privilege Escalation consists of techniques that adversaries use to gain higher-level
permissions on a system or network. Adversaries can often enter and explore
a network with unprivileged access but require elevated permissions to follow
through on their objectives. Common approaches are to take advantage of system
weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access
include:
- SYSTEM/root level
- local administrator
- user account with admin-like access
- user accounts with access to specific system or perform specific function
These techniques often overlap with Persistence techniques, as OS features that
let an adversary persist can execute in an elevated context.
'
object-type: tactic
ATT&CK-reference:
id: TA0004
url: https://attack.mitre.org/tactics/TA0004/
created_date: 2023-10-25
modified_date: 2023-10-25
- id: AML.TA0007
name: Defense Evasion
description: 'The adversary is trying to avoid being detected by AI-enabled security
software.
Defense Evasion consists of techniques that adversaries use to avoid detection
throughout their compromise.
Techniques used for defense evasion include evading AI-enabled security software
such as malware detectors.'
object-type: tactic
ATT&CK-reference:
id: TA0005
url: https://attack.mitre.org/tactics/TA0005/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0013
name: Credential Access
description: 'The adversary is trying to steal account names and passwords.
Credential Access consists of techniques for stealing credentials like account
names and passwords. Techniques used to get credentials include keylogging or
credential dumping. Using legitimate credentials can give adversaries access
to systems, make them harder to detect, and provide the opportunity to create
more accounts to help achieve their goals.
'
object-type: tactic
ATT&CK-reference:
id: TA0006
url: https://attack.mitre.org/tactics/TA0006/
created_date: 2023-10-25
modified_date: 2023-10-25
- id: AML.TA0008
name: Discovery
description: 'The adversary is trying to figure out your AI environment.
Discovery consists of techniques an adversary may use to gain knowledge about
the system and internal network.
These techniques help adversaries observe the environment and orient themselves
before deciding how to act.
They also allow adversaries to explore what they can control and what''s around
their entry point in order to discover how it could benefit their current objective.
Native operating system tools are often used toward this post-compromise information-gathering
objective.'
object-type: tactic
ATT&CK-reference:
id: TA0007
url: https://attack.mitre.org/tactics/TA0007/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0015
name: Lateral Movement
description: 'The adversary is trying to move through your AI environment.
Lateral Movement consists of techniques that adversaries may use to gain access
to and control other systems or components in the environment. Adversaries may
pivot towards AI Ops infrastructure such as model registries, experiment trackers,
vector databases, notebooks, or training pipelines. As the adversary moves through
the environment, they may discover means of accessing additional AI-related
tools, services, or applications. AI agents may also be a valuable target as
they commonly have more permissions than standard user accounts on the system.'
object-type: tactic
ATT&CK-reference:
id: TA0008
url: https://attack.mitre.org/tactics/TA0008/
created_date: 2025-10-27
modified_date: 2025-11-05
- id: AML.TA0009
name: Collection
description: 'The adversary is trying to gather AI artifacts and other related
information relevant to their goal.
Collection consists of techniques adversaries may use to gather information
and the sources information is collected from that are relevant to following
through on the adversary''s objectives.
Frequently, the next goal after collecting data is to steal (exfiltrate) the
AI artifacts, or use the collected information to stage future operations.
Common target sources include software repositories, container registries, model
repositories, and object stores.'
object-type: tactic
ATT&CK-reference:
id: TA0009
url: https://attack.mitre.org/tactics/TA0009/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0001
name: AI Attack Staging
description: 'The adversary is leveraging their knowledge of and access to the
target system to tailor the attack.
AI Attack Staging consists of techniques adversaries use to prepare their attack
on the target AI model.
Techniques can include training proxy models, poisoning the target model, and
crafting adversarial data to feed the target model.
Some of these techniques can be performed in an offline manner and are thus
difficult to mitigate.
These techniques are often used to achieve the adversary''s end goal.'
object-type: tactic
created_date: 2021-05-13
modified_date: 2025-04-09
- id: AML.TA0014
name: Command and Control
description: 'The adversary is trying to communicate with compromised AI systems
to control them.
Command and Control consists of techniques that adversaries may use to communicate
with systems under their control within a victim network. Adversaries commonly
attempt to mimic normal, expected traffic to avoid detection. There are many
ways an adversary can establish command and control with various levels of stealth
depending on the victim''s network structure and defenses.'
object-type: tactic
ATT&CK-reference:
id: TA0011
url: https://attack.mitre.org/tactics/TA0011/
created_date: 2024-04-11
modified_date: 2024-04-11
- id: AML.TA0010
name: Exfiltration
description: 'The adversary is trying to steal AI artifacts or other information
about the AI system.
Exfiltration consists of techniques that adversaries may use to steal data from
your network.
Data may be stolen for its valuable intellectual property, or for use in staging
future operations.
Techniques for getting data out of a target network typically include transferring
it over their command and control channel or an alternate channel and may also
include putting size limits on the transmission.'
object-type: tactic
ATT&CK-reference:
id: TA0010
url: https://attack.mitre.org/tactics/TA0010/
created_date: 2022-01-24
modified_date: 2025-04-09
- id: AML.TA0011
name: Impact
description: 'The adversary is trying to manipulate, interrupt, erode confidence
in, or destroy your AI systems and data.
Impact consists of techniques that adversaries use to disrupt availability or
compromise integrity by manipulating business and operational processes.
Techniques used for impact can include destroying or tampering with data.
In some cases, business processes can look fine, but may have been altered to
benefit the adversaries'' goals.
These techniques might be used by adversaries to follow through on their end
goal or to provide cover for a confidentiality breach.'
object-type: tactic
ATT&CK-reference:
id: TA0040
url: https://attack.mitre.org/tactics/TA0040/
created_date: 2022-01-24
modified_date: 2025-04-09
techniques:
- id: AML.T0000
name: Search Open Technical Databases
description: 'Adversaries may search for publicly available research and technical
documentation to learn how and where AI is used within a victim organization.
The adversary can use this information to identify targets for attack, or to
tailor an existing attack to make it more effective.
Organizations often use open source model architectures trained on additional
proprietary data in production.
Knowledge of this underlying architecture allows the adversary to craft more
realistic proxy models ([Create Proxy AI Model](/techniques/AML.T0005)).
An adversary can search these resources for publications for authors employed
at the victim organization.
Research and technical materials may exist as academic papers published in [Journals
and Conference Proceedings](/techniques/AML.T0000.000), or stored in [Pre-Print
Repositories](/techniques/AML.T0000.001), as well as [Technical Blogs](/techniques/AML.T0000.002).'
object-type: technique
ATT&CK-reference:
id: T1596
url: https://attack.mitre.org/techniques/T1596/
tactics:
- AML.TA0002
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: demonstrated
- id: AML.T0000.000
name: Journals and Conference Proceedings
description: 'Many of the publications accepted at premier artificial intelligence
conferences and journals come from commercial labs.
Some journals and conferences are open access, others may require paying for
access or a membership.
These publications will often describe in detail all aspects of a particular
approach for reproducibility.
This information can be used by adversaries to implement the paper.'
object-type: technique
subtechnique-of: AML.T0000
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: feasible
- id: AML.T0000.001
name: Pre-Print Repositories
description: 'Pre-Print repositories, such as arXiv, contain the latest academic
research papers that haven''t been peer reviewed.
They may contain research notes, or technical reports that aren''t typically
published in journals or conference proceedings.
Pre-print repositories also serve as a central location to share papers that
have been accepted to journals.
Searching pre-print repositories provide adversaries with a relatively up-to-date
view of what researchers in the victim organization are working on.
'
object-type: technique
subtechnique-of: AML.T0000
created_date: 2021-05-13
modified_date: 2021-05-13
maturity: demonstrated
- id: AML.T0000.002
name: Technical Blogs
description: 'Research labs at academic institutions and company R&D divisions
often have blogs that highlight their use of artificial intelligence and its
application to the organization''s unique problems.
Individual researchers also frequently document their work in blogposts.
An adversary may search for posts made by the target victim organization or
its employees.
In comparison to [Journals and Conference Proceedings](/techniques/AML.T0000.000)
and [Pre-Print Repositories](/techniques/AML.T0000.001) this material will often
contain more practical aspects of the AI system.
This could include underlying technologies and frameworks used, and possibly
some information about the API access and use case.
This will help the adversary better understand how that organization is using
AI internally and the details of their approach that could aid in tailoring
an attack.'
object-type: technique
subtechnique-of: AML.T0000
created_date: 2021-05-13
modified_date: 2025-10-13
maturity: feasible
- id: AML.T0001
name: Search Open AI Vulnerability Analysis
description: 'Much like the [Search Open Technical Databases](/techniques/AML.T0000),
there is often ample research available on the vulnerabilities of common AI
models. Once a target has been identified, an adversary will likely try to identify
any pre-existing work that has been done for this class of models.
This will include not only reading academic papers that may identify the particulars
of a successful attack, but also identifying pre-existing implementations of
those attacks. The adversary may obtain [Adversarial AI Attack Implementations](/techniques/AML.T0016.000)
or develop their own [Adversarial AI Attacks](/techniques/AML.T0017.000) if
necessary.'
object-type: technique
tactics:
- AML.TA0002
created_date: 2021-05-13
modified_date: 2025-04-17
maturity: demonstrated
- id: AML.T0003
name: Search Victim-Owned Websites
description: 'Adversaries may search websites owned by the victim for information
that can be used during targeting.
Victim-owned websites may contain technical details about their AI-enabled products
or services.
Victim-owned websites may contain a variety of details, including names of departments/divisions,
physical locations, and data about key employees such as names, roles, and contact
info.
These sites may also have details highlighting business operations and relationships.
Adversaries may search victim-owned websites to gather actionable information.
This information may help adversaries tailor their attacks (e.g. [Adversarial
AI Attacks](/techniques/AML.T0017.000) or [Manual Modification](/techniques/AML.T0043.003)).
Information from these sources may reveal opportunities for other forms of reconnaissance
(e.g. [Search Open Technical Databases](/techniques/AML.T0000) or [Search Open
AI Vulnerability Analysis](/techniques/AML.T0001))'
object-type: technique
ATT&CK-reference:
id: T1594
url: https://attack.mitre.org/techniques/T1594/
tactics:
- AML.TA0002
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: demonstrated
- id: AML.T0004
name: Search Application Repositories
description: 'Adversaries may search open application repositories during targeting.
Examples of these include Google Play, the iOS App store, the macOS App Store,
and the Microsoft Store.
Adversaries may craft search queries seeking applications that contain AI-enabled
components.
Frequently, the next step is to [Acquire Public AI Artifacts](/techniques/AML.T0002).'
object-type: technique
tactics:
- AML.TA0002
created_date: 2021-05-13
modified_date: 2025-10-13
maturity: demonstrated
- id: AML.T0006
name: Active Scanning
description: 'An adversary may probe or scan the victim system to gather information
for targeting. This is distinct from other reconnaissance techniques that do
not involve direct interaction with the victim system.
Adversaries may scan for open ports on a potential victim''s network, which
can indicate specific services or tools the victim is utilizing. This could
include a scan for tools related to AI DevOps or AI services themselves such
as public AI chat agents (ex: [Copilot Studio Hunter](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Enum)).
They can also send emails to organization service addresses and inspect the
replies for indicators that an AI agent is managing the inbox.
Information gained from Active Scanning may yield targets that provide opportunities
for other forms of reconnaissance such as [Search Open Technical Databases](/techniques/AML.T0000),
[Search Open AI Vulnerability Analysis](/techniques/AML.T0001), or [Gather RAG-Indexed
Targets](/techniques/AML.T0064).'
object-type: technique
ATT&CK-reference:
id: T1595
url: https://attack.mitre.org/techniques/T1595/
tactics:
- AML.TA0002
created_date: 2021-05-13
modified_date: 2025-11-04
maturity: realized
- id: AML.T0002
name: Acquire Public AI Artifacts
description: 'Adversaries may search public sources, including cloud storage,
public-facing services, and software or data repositories, to identify AI artifacts.
These AI artifacts may include the software stack used to train and deploy models,
training and testing data, model configurations and parameters.
An adversary will be particularly interested in artifacts hosted by or associated
with the victim organization as they may represent what that organization uses
in a production environment.
Adversaries may identify artifact repositories via other resources associated
with the victim organization (e.g. [Search Victim-Owned Websites](/techniques/AML.T0003)
or [Search Open Technical Databases](/techniques/AML.T0000)).
These AI artifacts often provide adversaries with details of the AI task and
approach.
AI artifacts can aid in an adversary''s ability to [Create Proxy AI Model](/techniques/AML.T0005).
If these artifacts include pieces of the actual model in production, they can
be used to directly [Craft Adversarial Data](/techniques/AML.T0043).
Acquiring some artifacts requires registration (providing user details such
email/name), AWS keys, or written requests, and may require the adversary to
[Establish Accounts](/techniques/AML.T0021).
Artifacts might be hosted on victim-controlled infrastructure, providing the
victim with some information on who has accessed that data.'
object-type: technique
tactics:
- AML.TA0003
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0002.000
name: Datasets
description: 'Adversaries may collect public datasets to use in their operations.
Datasets used by the victim organization or datasets that are representative
of the data used by the victim organization may be valuable to adversaries.
Datasets can be stored in cloud storage, or on victim-owned websites.
Some datasets require the adversary to [Establish Accounts](/techniques/AML.T0021)
for access.
Acquired datasets help the adversary advance their operations, stage attacks, and
tailor attacks to the victim organization.
'
object-type: technique
subtechnique-of: AML.T0002
created_date: 2021-05-13
modified_date: 2021-05-13
maturity: demonstrated
- id: AML.T0002.001
name: Models
description: 'Adversaries may acquire public models to use in their operations.
Adversaries may seek models used by the victim organization or models that are
representative of those used by the victim organization.
Representative models may include model architectures, or pre-trained models
which define the architecture as well as model parameters from training on a
dataset.
The adversary may search public sources for common model architecture configuration
file formats such as YAML or Python configuration files, and common model storage
file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth),
or TensorFlow (.pb, .tflite).
Acquired models are useful in advancing the adversary''s operations and are
frequently used to tailor attacks to the victim model.
'
object-type: technique
subtechnique-of: AML.T0002
created_date: 2021-05-13
modified_date: 2023-02-28
maturity: demonstrated
- id: AML.T0016
name: Obtain Capabilities
description: 'Adversaries may search for and obtain software capabilities for
use in their operations.
Capabilities may be specific to AI-based attacks [Adversarial AI Attack Implementations](/techniques/AML.T0016.000)
or generic software tools repurposed for malicious intent ([Software Tools](/techniques/AML.T0016.001)).
In both instances, an adversary may modify or customize the capability to aid
in targeting a particular AI-enabled system.'
object-type: technique
ATT&CK-reference:
id: T1588
url: https://attack.mitre.org/techniques/T1588/
tactics:
- AML.TA0003
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0016.000
name: Adversarial AI Attack Implementations
description: Adversaries may search for existing open source implementations of
AI attacks. The research community often publishes their code for reproducibility
and to further future research. Libraries intended for research purposes, such
as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized
by an adversary. Adversaries may also obtain and use tools that were not originally
designed for adversarial AI attacks as part of their attack.
object-type: technique
subtechnique-of: AML.T0016
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0016.001
name: Software Tools
description: 'Adversaries may search for and obtain software tools to support
their operations.
Software designed for legitimate use may be repurposed by an adversary for malicious
intent.
An adversary may modify or customize software tools to achieve their purpose.
Software tools used to support attacks on AI systems are not necessarily AI-based
themselves.'
object-type: technique
ATT&CK-reference:
id: T1588.002
url: https://attack.mitre.org/techniques/T1588/002/
subtechnique-of: AML.T0016
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0017
name: Develop Capabilities
description: Adversaries may develop their own capabilities to support operations.
This process encompasses identifying requirements, building solutions, and deploying
capabilities. Capabilities used to support attacks on AI-enabled systems are
not necessarily AI-based themselves. Examples include setting up websites with
adversarial information or creating Jupyter notebooks with obfuscated exfiltration
code.
object-type: technique
ATT&CK-reference:
id: T1587
url: https://attack.mitre.org/techniques/T1587/
tactics:
- AML.TA0003
created_date: 2023-10-25
modified_date: 2025-04-09
maturity: demonstrated
- id: AML.T0017.000
name: Adversarial AI Attacks
description: 'Adversaries may develop their own adversarial attacks.
They may leverage existing libraries as a starting point ([Adversarial AI Attack
Implementations](/techniques/AML.T0016.000)).
They may implement ideas described in public research papers or develop custom
made attacks for the victim model.
'
object-type: technique
subtechnique-of: AML.T0017
created_date: 2023-10-25
modified_date: 2025-04-09
maturity: demonstrated
- id: AML.T0008
name: Acquire Infrastructure
description: 'Adversaries may buy, lease, or rent infrastructure for use throughout
their operation.
A wide variety of infrastructure exists for hosting and orchestrating adversary
operations.
Infrastructure solutions include physical or cloud servers, domains, mobile
devices, and third-party web services.
Free resources may also be used, but they are typically limited.
Infrastructure can also include physical components such as countermeasures
that degrade or disrupt AI components or sensors, including printed materials,
wearables, or disguises.
Use of these infrastructure solutions allows an adversary to stage, launch,
and execute an operation.
Solutions may help adversary operations blend in with traffic that is seen as
normal, such as contact to third-party web services.
Depending on the implementation, adversaries may use infrastructure that makes
it difficult to physically tie back to them as well as utilize infrastructure
that can be rapidly provisioned, modified, and shut down.'
object-type: technique
tactics:
- AML.TA0003
created_date: 2021-05-13
modified_date: 2025-03-12
maturity: realized
- id: AML.T0008.000
name: AI Development Workspaces
description: 'Developing and staging AI attacks often requires expensive compute
resources.
Adversaries may need access to one or many GPUs in order to develop an attack.
They may try to anonymously use free resources such as Google Colaboratory,
or cloud resources such as AWS, Azure, or Google Cloud as an efficient way to
stand up temporary resources to conduct operations.
Multiple workspaces may be used to avoid detection.'
object-type: technique
subtechnique-of: AML.T0008
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: demonstrated
- id: AML.T0008.001
name: Consumer Hardware
description: 'Adversaries may acquire consumer hardware to conduct their attacks.
Owning the hardware provides the adversary with complete control of the environment.
These devices can be hard to trace.
'
object-type: technique
subtechnique-of: AML.T0008
created_date: 2021-05-13
modified_date: 2021-05-13
maturity: realized
- id: AML.T0019
name: Publish Poisoned Datasets
description: 'Adversaries may [Poison Training Data](/techniques/AML.T0020) and
publish it to a public location.
The poisoned dataset may be a novel dataset or a poisoned variant of an existing
open source dataset.
This data may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010).
'
object-type: technique
tactics:
- AML.TA0003
created_date: 2021-05-13
modified_date: 2021-05-13
maturity: demonstrated
- id: AML.T0010
name: AI Supply Chain Compromise
description: 'Adversaries may gain initial access to a system by compromising
the unique portions of the AI supply chain.
This could include [Hardware](/techniques/AML.T0010.000), [Data](/techniques/AML.T0010.002)
and its annotations, parts of the AI [AI Software](/techniques/AML.T0010.001)
stack, or the [Model](/techniques/AML.T0010.003) itself.
In some instances the attacker will need secondary access to fully carry out
an attack using compromised components of the supply chain.'
object-type: technique
tactics:
- AML.TA0004
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0010.000
name: Hardware
description: Adversaries may target AI systems by disrupting or manipulating the
hardware supply chain. AI models often run on specialized hardware such as GPUs,
TPUs, or embedded devices, but may also be optimized to operate on CPUs.
object-type: technique
subtechnique-of: AML.T0010
created_date: 2021-05-13
modified_date: 2025-03-12
maturity: feasible
- id: AML.T0010.001
name: AI Software
description: 'Most AI systems rely on a limited set of AI frameworks.
An adversary could get access to a large number of AI systems through a comprise
of one of their supply chains.
Many AI projects also rely on other open source implementations of various algorithms.
These can also be compromised in a targeted way to get access to specific systems.'
object-type: technique
subtechnique-of: AML.T0010
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0010.002
name: Data
description: 'Data is a key vector of supply chain compromise for adversaries.
Every AI project will require some form of data.
Many rely on large open source datasets that are publicly available.
An adversary could rely on compromising these sources of data.
The malicious data could be a result of [Poison Training Data](/techniques/AML.T0020)
or include traditional malware.
An adversary can also target private datasets in the labeling phase.
The creation of private datasets will often require the hiring of outside labeling
services.
An adversary can poison a dataset by modifying the labels being generated by
the labeling service.'
object-type: technique
subtechnique-of: AML.T0010
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0010.003
name: Model
description: 'AI-enabled systems often rely on open sourced models in various
ways.
Most commonly, the victim organization may be using these models for fine tuning.
These models will be downloaded from an external source and then used as the
base for the model as it is tuned on a smaller, private dataset.
Loading models often requires executing some saved code in the form of a saved
model file.
These can be compromised with traditional malware, or through some adversarial
AI techniques.'
object-type: technique
subtechnique-of: AML.T0010
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0040
name: AI Model Inference API Access
description: 'Adversaries may gain access to a model via legitimate access to
the inference API.
Inference API access can be a source of information to the adversary ([Discover
AI Model Ontology](/techniques/AML.T0013), [Discover AI Model Family](/techniques/AML.T0014)),
a means of staging the attack ([Verify Attack](/techniques/AML.T0042), [Craft
Adversarial Data](/techniques/AML.T0043)), or for introducing data to the target
system for Impact ([Evade AI Model](/techniques/AML.T0015), [Erode AI Model
Integrity](/techniques/AML.T0031)).
Many systems rely on the same models provided via an inference API, which means
they share the same vulnerabilities. This is especially true of foundation models
which are prohibitively resource intensive to train. Adversaries may use their
access to model APIs to identify vulnerabilities such as jailbreaks or hallucinations
and then target applications that use the same models.'
object-type: technique
tactics:
- AML.TA0000
created_date: 2021-05-13
modified_date: 2025-03-12
maturity: demonstrated
- id: AML.T0047
name: AI-Enabled Product or Service
description: 'Adversaries may use a product or service that uses artificial intelligence
under the hood to gain access to the underlying AI model.
This type of indirect model access may reveal details of the AI model or its
inferences in logs or metadata.'
object-type: technique
tactics:
- AML.TA0000
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: realized
- id: AML.T0041
name: Physical Environment Access
description: 'In addition to the attacks that take place purely in the digital
domain, adversaries may also exploit the physical environment for their attacks.
If the model is interacting with data collected from the real world in some
way, the adversary can influence the model through access to wherever the data
is being collected.
By modifying the data in the collection process, the adversary can perform modified
versions of attacks designed for digital access.
'
object-type: technique
tactics:
- AML.TA0000
created_date: 2021-05-13
modified_date: 2021-05-13
maturity: demonstrated
- id: AML.T0044
name: Full AI Model Access
description: 'Adversaries may gain full "white-box" access to an AI model.
This means the adversary has complete knowledge of the model architecture, its
parameters, and class ontology.
They may exfiltrate the model to [Craft Adversarial Data](/techniques/AML.T0043)
and [Verify Attack](/techniques/AML.T0042) in an offline where it is hard to
detect their behavior.'
object-type: technique
tactics:
- AML.TA0000
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: demonstrated
- id: AML.T0013
name: Discover AI Model Ontology
description: 'Adversaries may discover the ontology of an AI model''s output space,
for example, the types of objects a model can detect.
The adversary may discovery the ontology by repeated queries to the model, forcing
it to enumerate its output space.
Or the ontology may be discovered in a configuration file or in documentation
about the model.
The model ontology helps the adversary understand how the model is being used
by the victim.
It is useful to the adversary in creating targeted attacks.'
object-type: technique
tactics:
- AML.TA0008
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: demonstrated
- id: AML.T0014
name: Discover AI Model Family
description: 'Adversaries may discover the general family of model.
General information about the model may be revealed in documentation, or the
adversary may use carefully constructed examples and analyze the model''s responses
to categorize it.
Knowledge of the model family can help the adversary identify means of attacking
the model and help tailor the attack.
'
object-type: technique
tactics:
- AML.TA0008
created_date: 2021-05-13
modified_date: 2025-04-09
maturity: feasible
- id: AML.T0020
name: Poison Training Data
description: 'Adversaries may attempt to poison datasets used by an AI model by
modifying the underlying data or its labels.
This allows the adversary to embed vulnerabilities in AI models trained on the
data that may not be easily detectable.
Data poisoning attacks may or may not require modifying the labels.
The embedded vulnerability is activated at a later time by data samples with
an [Insert Backdoor Trigger](/techniques/AML.T0043.004)
Poisoned data can be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010)
or the data may be poisoned after the adversary gains [Initial Access](/tactics/AML.TA0004)
to the system.'
object-type: technique