MITRE ATLAS v5.5.0

Adversarial Threat Landscape for AI Systems

16 tactics 101 techniques 66 sub-techniques 0 mitigations 57 case studies

Realized — seen in the wild Demonstrated — lab/research Feasible — theoretical

AML.TA0002 Reconnaissance 8

The adversary is trying to gather information about the AI system they can use to plan future operations.

AML.T0000 Search Open Technical Databases Demonstrated 3 sub

AML.T0000.000 Journals and Conference Proceedings Feasible AML.T0000.001 Pre-Print Repositories Demonstrated AML.T0000.002 Technical Blogs Feasible

AML.T0001 Search Open AI Vulnerability Analysis Demonstrated

AML.T0003 Search Victim-Owned Websites Demonstrated

AML.T0004 Search Application Repositories Demonstrated

AML.T0006 Active Scanning Realized

AML.T0064 Gather RAG-Indexed Targets Demonstrated

AML.T0087 Gather Victim Identity Information Realized

AML.T0095 Search Open Websites/Domains Demonstrated

AML.TA0003 Resource Development 13

ATT&CK TA0042

The adversary is trying to establish resources they can use to support operations.

AML.T0002 Acquire Public AI Artifacts Realized 2 sub

AML.T0002.000 Datasets Demonstrated AML.T0002.001 Models Demonstrated

AML.T0016 Obtain Capabilities Realized 3 sub

AML.T0016.000 Adversarial AI Attack Implementations Realized AML.T0016.001 Software Tools Realized AML.T0016.002 Generative AI Realized

AML.T0017 Develop Capabilities Realized 1 sub

AML.T0017.000 Adversarial AI Attacks Demonstrated

AML.T0008 Acquire Infrastructure Realized 6 sub

AML.T0008.000 AI Development Workspaces Demonstrated AML.T0008.001 Consumer Hardware Realized AML.T0008.002 Domains Demonstrated AML.T0008.003 Physical Countermeasures Demonstrated AML.T0008.004 Serverless Feasible AML.T0008.005 AI Service Proxies Realized

AML.T0019 Publish Poisoned Datasets Demonstrated

AML.T0020 Poison Training Data Realized

AML.T0021 Establish Accounts Realized

AML.T0058 Publish Poisoned Models Realized

AML.T0060 Publish Hallucinated Entities Demonstrated

AML.T0065 LLM Prompt Crafting Realized

AML.T0066 Retrieval Content Crafting Demonstrated

AML.T0079 Stage Capabilities Demonstrated

AML.T0104 Publish Poisoned AI Agent Tool Realized

AML.TA0004 Initial Access 7

ATT&CK TA0001

The adversary is trying to gain access to the AI system.

AML.T0010 AI Supply Chain Compromise Realized 6 sub

AML.T0010.000 Hardware Feasible AML.T0010.001 AI Software Realized AML.T0010.002 Data Realized AML.T0010.003 Model Realized AML.T0010.004 Container Registry Demonstrated AML.T0010.005 AI Agent Tool Realized

AML.T0012 Valid Accounts Realized

AML.T0015 Evade AI Model Realized

AML.T0049 Exploit Public-Facing Application Realized

AML.T0052 Phishing Realized 1 sub

AML.T0052.000 Spearphishing via Social Engineering LLM Demonstrated

AML.T0078 Drive-by Compromise Demonstrated

AML.T0093 Prompt Infiltration via Public-Facing Application Demonstrated

AML.TA0000 AI Model Access 4

The adversary is attempting to gain some level of access to an AI model.

AML.T0040 AI Model Inference API Access Realized

AML.T0047 AI-Enabled Product or Service Realized

AML.T0041 Physical Environment Access Demonstrated

AML.T0044 Full AI Model Access Demonstrated

AML.TA0005 Execution 6

ATT&CK TA0002

The adversary is trying to run malicious code embedded in AI artifacts or software.

AML.T0011 User Execution Realized 4 sub

AML.T0011.000 Unsafe AI Artifacts Realized AML.T0011.001 Malicious Package Realized AML.T0011.002 Poisoned AI Agent Tool Realized AML.T0011.003 Malicious Link Demonstrated

AML.T0050 Command and Scripting Interpreter Demonstrated

AML.T0051 LLM Prompt Injection Realized 3 sub

AML.T0051.000 Direct Realized AML.T0051.001 Indirect Demonstrated AML.T0051.002 Triggered Demonstrated

AML.T0053 AI Agent Tool Invocation Demonstrated

AML.T0100 AI Agent Clickbait Demonstrated

AML.T0103 Deploy AI Agent Realized

AML.TA0006 Persistence 9

ATT&CK TA0003

The adversary is trying to maintain their foothold via AI artifacts or software.

AML.T0020 Poison Training Data Realized

AML.T0018 Manipulate AI Model Realized 3 sub

AML.T0018.000 Poison AI Model Demonstrated AML.T0018.001 Modify AI Model Architecture Demonstrated AML.T0018.002 Embed Malware Realized

AML.T0061 LLM Prompt Self-Replication Demonstrated

AML.T0070 RAG Poisoning Demonstrated

AML.T0080 AI Agent Context Poisoning Demonstrated 2 sub

AML.T0080.000 Memory Demonstrated AML.T0080.001 Thread Demonstrated

AML.T0081 Modify AI Agent Configuration Demonstrated

AML.T0093 Prompt Infiltration via Public-Facing Application Demonstrated

AML.T0099 AI Agent Tool Data Poisoning Feasible

AML.T0110 AI Agent Tool Poisoning Realized

AML.TA0012 Privilege Escalation 4

ATT&CK TA0004

The adversary is trying to gain higher-level permissions.

AML.T0012 Valid Accounts Realized

AML.T0053 AI Agent Tool Invocation Demonstrated

AML.T0054 LLM Jailbreak Demonstrated

AML.T0105 Escape to Host Demonstrated

AML.TA0007 Defense Evasion 15

ATT&CK TA0005

The adversary is trying to avoid being detected by AI-enabled security software.

AML.T0015 Evade AI Model Realized

AML.T0054 LLM Jailbreak Demonstrated

AML.T0067 LLM Trusted Output Components Manipulation Demonstrated 1 sub

AML.T0067.000 Citations Demonstrated

AML.T0068 LLM Prompt Obfuscation Demonstrated

AML.T0071 False RAG Entry Injection Demonstrated

AML.T0073 Impersonation Realized

AML.T0074 Masquerading Realized

AML.T0076 Corrupt AI Model Realized

AML.T0081 Modify AI Agent Configuration Demonstrated

AML.T0092 Manipulate User LLM Chat History Demonstrated

AML.T0094 Delay Execution of LLM Instructions Demonstrated

AML.T0097 Virtualization/Sandbox Evasion Realized

AML.T0107 Exploitation for Defense Evasion Demonstrated

AML.T0109 AI Supply Chain Rug Pull Realized

AML.T0111 AI Supply Chain Reputation Inflation Demonstrated

AML.TA0013 Credential Access 6

ATT&CK TA0006

The adversary is trying to steal account names and passwords.

AML.T0055 Unsecured Credentials Realized

AML.T0082 RAG Credential Harvesting Demonstrated

AML.T0083 Credentials from AI Agent Configuration Demonstrated

AML.T0090 OS Credential Dumping Demonstrated

AML.T0098 AI Agent Tool Credential Harvesting Demonstrated

AML.T0106 Exploitation for Credential Access Demonstrated

AML.TA0008 Discovery 9

ATT&CK TA0007

The adversary is trying to figure out your AI environment.

AML.T0013 Discover AI Model Ontology Demonstrated

AML.T0014 Discover AI Model Family Feasible

AML.T0007 Discover AI Artifacts Demonstrated

AML.T0062 Discover LLM Hallucinations Demonstrated

AML.T0063 Discover AI Model Outputs Demonstrated

AML.T0069 Discover LLM System Information Demonstrated 3 sub

AML.T0069.000 Special Character Sets Demonstrated AML.T0069.001 System Instruction Keywords Demonstrated AML.T0069.002 System Prompt Demonstrated

AML.T0075 Cloud Service Discovery Realized

AML.T0084 Discover AI Agent Configuration Demonstrated 4 sub

AML.T0084.000 Embedded Knowledge Demonstrated AML.T0084.001 Tool Definitions Demonstrated AML.T0084.002 Activation Triggers Demonstrated AML.T0084.003 Call Chains Demonstrated

AML.T0089 Process Discovery Demonstrated

AML.TA0015 Lateral Movement 2

ATT&CK TA0008

The adversary is trying to move through your AI environment.

AML.T0052 Phishing Realized 1 sub

AML.T0052.000 Spearphishing via Social Engineering LLM Demonstrated

AML.T0091 Use Alternate Authentication Material Demonstrated 1 sub

AML.T0091.000 Application Access Token Demonstrated

AML.TA0009 Collection 4

ATT&CK TA0009

The adversary is trying to gather AI artifacts and other related information relevant to their goal.

AML.T0035 AI Artifact Collection Realized

AML.T0036 Data from Information Repositories Realized

AML.T0037 Data from Local System Realized

AML.T0085 Data from AI Services Demonstrated 2 sub

AML.T0085.000 RAG Databases Demonstrated AML.T0085.001 AI Agent Tools Demonstrated

AML.TA0001 AI Attack Staging 6

The adversary is leveraging their knowledge of and access to the target system to tailor the attack.

AML.T0005 Create Proxy AI Model Demonstrated 3 sub

AML.T0005.000 Train Proxy via Gathered AI Artifacts Demonstrated AML.T0005.001 Train Proxy via Replication Demonstrated AML.T0005.002 Use Pre-Trained Model Feasible

AML.T0018 Manipulate AI Model Realized 3 sub

AML.T0018.000 Poison AI Model Demonstrated AML.T0018.001 Modify AI Model Architecture Demonstrated AML.T0018.002 Embed Malware Realized

AML.T0042 Verify Attack Demonstrated

AML.T0043 Craft Adversarial Data Realized 5 sub

AML.T0043.000 White-Box Optimization Demonstrated AML.T0043.001 Black-Box Optimization Demonstrated AML.T0043.002 Black-Box Transfer Demonstrated AML.T0043.003 Manual Modification Realized AML.T0043.004 Insert Backdoor Trigger Demonstrated

AML.T0088 Generate Deepfakes Realized

AML.T0102 Generate Malicious Commands Realized

AML.TA0014 Command and Control 3

ATT&CK TA0011

The adversary is trying to communicate with compromised AI systems to control them.

AML.T0072 Reverse Shell Realized

AML.T0096 AI Service API Realized

AML.T0108 AI Agent Demonstrated

AML.TA0010 Exfiltration 6

ATT&CK TA0010

The adversary is trying to steal AI artifacts or other information about the AI system.

AML.T0024 Exfiltration via AI Inference API Realized 3 sub

AML.T0024.000 Infer Training Data Membership Feasible AML.T0024.001 Invert AI Model Feasible AML.T0024.002 Extract AI Model Realized

AML.T0025 Exfiltration via Cyber Means Realized

AML.T0056 Extract LLM System Prompt Feasible

AML.T0057 LLM Data Leakage Demonstrated

AML.T0077 LLM Response Rendering Demonstrated

AML.T0086 Exfiltration via AI Agent Tool Invocation Realized

AML.TA0011 Impact 9

ATT&CK TA0040

The adversary is trying to manipulate, interrupt, erode confidence in, or destroy your AI systems and data.

AML.T0015 Evade AI Model Realized

AML.T0029 Denial of AI Service Demonstrated

AML.T0046 Spamming AI System with Chaff Data Feasible

AML.T0031 Erode AI Model Integrity Realized

AML.T0034 Cost Harvesting Feasible 3 sub

AML.T0034.000 Excessive Queries Feasible AML.T0034.001 Resource-Intensive Queries Feasible AML.T0034.002 Agentic Resource Consumption Feasible

AML.T0048 External Harms Realized 5 sub

AML.T0048.000 Financial Harm Realized AML.T0048.001 Reputational Harm Demonstrated AML.T0048.002 Societal Harm Realized AML.T0048.003 User Harm Realized AML.T0048.004 AI Intellectual Property Theft Realized

AML.T0059 Erode Dataset Integrity Demonstrated

AML.T0101 Data Destruction via AI Agent Tool Invocation Realized

AML.T0112 Machine Compromise Demonstrated 2 sub

AML.T0112.000 Local AI Agent Demonstrated AML.T0112.001 AI Artifacts Feasible

Case Studies 57

AML.CS0000 Evasion of Deep Learning Detector for Malware C&C Traffic

AML.CS0001 Botnet Domain Generation Algorithm (DGA) Detection Evasion

AML.CS0002 VirusTotal Poisoning

AML.CS0003 Bypassing Cylance's AI Malware Detection

AML.CS0004 Camera Hijack Attack on Facial Recognition System

AML.CS0005 Attack on Machine Translation Services

AML.CS0006 ClearviewAI Misconfiguration

AML.CS0007 GPT-2 Model Replication

AML.CS0008 ProofPoint Evasion

AML.CS0009 Tay Poisoning

AML.CS0010 Microsoft Azure Service Disruption

AML.CS0011 Microsoft Edge AI Evasion

AML.CS0012 Face Identification System Evasion via Physical Countermeasures

AML.CS0013 Backdoor Attack on Deep Learning Models in Mobile Apps

AML.CS0014 Confusing Antimalware Neural Networks

AML.CS0015 Compromised PyTorch Dependency Chain

AML.CS0016 Achieving Code Execution in MathGPT via Prompt Injection

AML.CS0017 Bypassing ID.me Identity Verification

AML.CS0018 Arbitrary Code Execution with Google Colab

AML.CS0019 PoisonGPT

AML.CS0020 Indirect Prompt Injection Threats: Bing Chat Data Pirate

AML.CS0021 ChatGPT Conversation Exfiltration

AML.CS0022 ChatGPT Package Hallucination

AML.CS0023 ShadowRay

AML.CS0024 Morris II Worm: RAG-Based Attack

AML.CS0025 Web-Scale Data Poisoning: Split-View Attack

AML.CS0026 Financial Transaction Hijacking with M365 Copilot as an Insider

AML.CS0027 Organization Confusion on Hugging Face

AML.CS0028 AI Model Tampering via Supply Chain Attack

AML.CS0029 Google Bard Conversation Exfiltration

AML.CS0030 LLM Jacking

AML.CS0031 Malicious Models on Hugging Face

AML.CS0032 Attempted Evasion of ML Phishing Webpage Detection System

AML.CS0033 Live Deepfake Image Injection to Evade Mobile KYC Verification

AML.CS0034 ProKYC: Deepfake Tool for Account Fraud Attacks

AML.CS0035 Data Exfiltration from Slack AI via Indirect Prompt Injection

AML.CS0036 AIKatz: Attacking LLM Desktop Applications

AML.CS0037 Data Exfiltration via Agent Tools in Copilot Studio

AML.CS0038 Planting Instructions for Delayed Automatic AI Agent Tool Invocation

AML.CS0039 Living Off AI: Prompt Injection via Jira Service Management

AML.CS0040 Hacking ChatGPT’s Memories with Prompt Injection

AML.CS0041 Rules File Backdoor: Supply Chain Attack on AI Coding Assistants

AML.CS0042 SesameOp: Novel backdoor uses OpenAI Assistants API for command and control

AML.CS0043 Malware Prototype with Embedded Prompt Injection

AML.CS0044 LAMEHUG: Malware Leveraging Dynamic AI-Generated Commands

AML.CS0045 Data Exfiltration via an MCP Server used by Cursor

AML.CS0046 Data Destruction via Indirect Prompt Injection Targeting Claude Computer-Use

AML.CS0047 Code to Deploy Destructive AI Agent Discovered in Amazon Q VS Code Extension

AML.CS0048 Exposed ClawdBot Control Interfaces Leads to Credential Access and Execution

AML.CS0049 Supply Chain Compromise via Poisoned ClawdBot Skill

AML.CS0050 OpenClaw 1-Click Remote Code Execution

AML.CS0051 OpenClaw Command & Control via Prompt Injection

AML.CS0052 LLMSmith: RCE Vulnerabilities in LLM-Integrated Applications

AML.CS0053 Poisoned Postmark MCP Server Email Exfiltration

AML.CS0054 Data Exfiltration via Remote Poisoned MCP Tool

AML.CS0055 AI ClickFix: Hijacking Computer-Use Agents Using ClickFix

AML.CS0056 Model Distillation Campaigns Targeting Anthropic Claude

Resources

ATLAS Matrix Navigator atlas-data (GitHub) SAFE-AI Report (PDF)