Appendix A: Complete Attack Catalog

Top 25 Critical/High-Risk Techniques

Full Catalog by Tactic

T1 — Prompt & Context Subversion (16 techniques)

T2 — Semantic & Linguistic Evasion (20 techniques)

T3 — Reasoning & Constraint Exploitation (19 techniques)

T4 — Multi-Turn & Memory Manipulation (16 techniques)

T5 — Model & API Exploitation (16 techniques)

T6 — Training & Feedback Poisoning (15 techniques)

T7 — Output Manipulation & Exfiltration (15 techniques)

T8 — External Deception & Misinformation (15 techniques)

T9 — Multimodal & Cross-Channel Attacks (17 techniques)

T10 — Integrity & Confidentiality Breach (15 techniques)

T11 — Agentic & Orchestrator Exploitation (16 techniques)

T12 — RAG & Knowledge Base Manipulation (15 techniques)

T13 — AI Supply Chain & Artifact Trust (15 techniques)

T14 — Infrastructure & Economic Warfare (15 techniques)

T15 — Human Workflow Exploitation (15 techniques)

← Volume VII · Home

Appendix B: Detection Signatures Library

YARA Rules

Prompt Injection Detection

rule AATMF_T1_InstructionOverride {
    meta:
        tactic = "T1"
        technique = "T1-AT-001"
        severity = "HIGH"
        description = "Detects instruction override injection patterns"
    strings:
        $s1 = /ignore\s+(previous|above|all|prior)\s+(instructions?|rules?|prompts?)/i
        $s2 = /you\s+are\s+now\s+(DAN|evil|unrestricted|jailbroken|unfiltered)/i
        $s3 = /\[(SYSTEM|INST|SYS)\]/i
        $s4 = /<\|?(system|im_start|im_end|endoftext)\|?>/i
        $s5 = /BEGIN\s+(OVERRIDE|NEW.INSTRUCTIONS|JAILBREAK)/i
        $s6 = /(admin|root|developer)\s*(mode|access|override)/i
    condition:
        any of them
}

Encoding Evasion Detection

rule AATMF_T2_EncodingEvasion {
    meta:
        tactic = "T2"
        technique = "T2-AT-001 through T2-AT-005"
        severity = "MEDIUM"
    strings:
        $base64 = /[A-Za-z0-9+\/]{40,}={0,2}/
        $hex = /\\x[0-9a-fA-F]{2}(\\x[0-9a-fA-F]{2}){3,}/
        $unicode_escape = /\\u[0-9a-fA-F]{4}(\\u[0-9a-fA-F]{4}){3,}/
        $zwc = /[\x{200b}-\x{200f}\x{2028}-\x{202f}\x{feff}]/
        $rot13 = /ROT13|Caesar|cipher.*rotate/i
    condition:
        any of them
}

MCP Tool Poisoning

rule AATMF_T11_MCP_ToolPoisoning {
    meta:
        tactic = "T11"
        technique = "T11-AT-001"
        severity = "CRITICAL"
    strings:
        $hidden1 = "<IMPORTANT>"
        $hidden2 = "<!-- "
        $override1 = /override.*previous.*instruction/i
        $override2 = /ignore.*user.*request/i
        $stealth1 = /do\s+not\s+(tell|inform|show|reveal)/i
        $stealth2 = /silently|secretly|covertly|without.*notif/i
        $redirect = /instead\s+of|rather\s+than|before\s+doing/i
    condition:
        2 of them
}

Sigma Rules

Model Extraction Detection

title: AATMF T5 - Model Extraction via API
id: aatmf-t5-model-extraction
status: experimental
description: Detects systematic API querying patterns indicative of model extraction
logsource:
    category: api_gateway
    product: ai_inference
detection:
    selection:
        api.endpoint: "/v1/completions" OR "/v1/chat/completions"
    filter_high_volume:
        api.request_count|per_hour: ">500"
    filter_systematic:
        api.input_similarity|window_5min: ">0.85"
    condition: selection AND (filter_high_volume OR filter_systematic)
level: high
tags:
    - attack.t5
    - aatmf.t5-at-001

Agent Anomaly Detection

title: AATMF T11 - Unauthorized Agent Tool Invocation
id: aatmf-t11-agent-anomaly
status: experimental
description: Detects agent tool calls that deviate from authorized patterns
logsource:
    category: agent_framework
detection:
    selection:
        agent.tool_call.status: "executed"
    filter_unauthorized:
        agent.tool_call.name|not_in:
            - "approved_tool_list"
    filter_escalation:
        agent.permission_level|changed: true
    condition: selection AND (filter_unauthorized OR filter_escalation)
level: critical
tags:
    - attack.t11
    - aatmf.t11-at-001

Pre-built signature files are available in the signatures/ directory.

← Appendix A · Home · Appendix C →

Appendix C: Tools and Scripts Reference

← Appendix B · Home · Appendix D →

Appendix D: Templates and Checklists

AI Security Assessment Checklist

Pre-Assessment

• PRE-1: Asset inventory complete (models, agents, RAG, pipelines)
• PRE-2: AATMF tactic applicability matrix populated
• PRE-3: Rules of engagement signed
• PRE-4: Baseline security controls documented
• PRE-5: Rollback procedures verified

Assessment

• ASS-1: Input sanitization tested (T1–T3 techniques)
• ASS-2: Encoding evasion tested (T2 techniques)
• ASS-3: Multi-turn attack sequences executed (T4)
• ASS-4: API abuse patterns tested (T5)
• ASS-5: Output manipulation attempted (T7)
• ASS-6: Multimodal injection tested (T9, if applicable)
• ASS-7: Agentic exploitation attempted (T11, if applicable)
• ASS-8: RAG poisoning tested (T12, if applicable)

Post-Assessment

• POST-1: All findings documented with AATMF classification
• POST-2: Risk scores calculated using AATMF-R v3
• POST-3: Remediation recommendations provided
• POST-4: Compliance mapping completed
• POST-5: Report delivered and findings walkthrough conducted

Finding Report Template

# Finding: [Title]

## Classification
- **AATMF Tactic:** T[n] — [Name]
- **AATMF Technique:** T[n]-AT-[seq]
- **Risk Score:** [score] ([CRITICAL/HIGH/MEDIUM/LOW/INFO])
- **CVSS v3.1:** [score] (if applicable)

## Description
[Clear description of the vulnerability]

## Proof of Concept
[Steps to reproduce, including exact prompts/inputs used]

## Impact
[Business and technical impact assessment]

## Affected Systems
[Models, endpoints, agents, infrastructure affected]

## Mitigation
[Specific remediation steps]

## Compliance Mapping
- OWASP LLM Top 10: [LLM0x]
- MITRE ATLAS: [AML.Txxxx]
- EU AI Act: [Article reference]

## Evidence
[Screenshots, logs, API responses]

← Appendix C · Home · Appendix E →

Appendix E: Case Studies

E.1: Policy Puppetry — Universal Model Bypass (April 2025)

Source: HiddenLayer
Tactics: T1, T2, T3
Impact: Bypasses every tested frontier model

HiddenLayer discovered that reformulating adversarial prompts as XML, INI, or JSON policy configuration files causes LLMs to interpret them as authoritative system-level instructions. Combined with leetspeak encoding (h4rm → harm) and fictional anchoring, the technique achieves universal bypass across GPT-4o, GPT-4.5, o1, o3-mini, Claude 3.5/3.7, Gemini 1.5/2.0/2.5, Llama 3/4, DeepSeek V3/R1, Qwen 2.5, and Mistral.

Key insight: Models trained on technical documentation treat configuration-style formatting as high-authority context, overriding safety alignment.

E.2: Autonomous LRM Jailbreaking (August 2025)

Source: Nature Communications
Tactics: T3, T4
Impact: 97.14% ASR, AI-vs-AI attack paradigm

Four large reasoning models (DeepSeek-R1, Gemini 2.5 Flash, Grok 3 Mini, Qwen3 235B) were deployed as multi-turn adversarial agents against nine target models. The study documented "alignment regression" — more capable reasoning models are paradoxically better at subverting alignment in others. This validates AATMF's prediction that reasoning capabilities would become attack capabilities.

E.3: PoisonedRAG (USENIX Security 2025)

Source: USENIX Security 2025
Tactics: T12
Impact: 90% ASR with 5 injected texts

PoisonedRAG demonstrated that injecting as few as 5 adversarially crafted texts into a knowledge base with millions of clean documents is sufficient to control the model's responses to specific target questions. On HotpotQA, ASR reached 99%. The attack works by crafting documents whose vector representations cluster near target queries while containing attacker-chosen answers.

Key insight: The semantic similarity search at the heart of RAG is fundamentally exploitable — the same mechanism that makes retrieval useful makes it poisonable.

E.4: MCP Tool Poisoning (2025)

Source: Invariant Labs
Tactics: T11
Impact: 84.2% ASR, shadow attacks across tool boundaries

The MCP-ITP framework demonstrated three critical attack vectors: direct tool description poisoning (injecting instructions that override user intent), shadow attacks (a malicious MCP server manipulating trusted tools from other servers without ever being invoked), and rug pull attacks (silently altering tool descriptions after initial security review and approval).

Key insight: The MCP design — where tool descriptions are injected into the LLM context and processed as natural language — is architecturally vulnerable to injection.

E.5: ShadowMQ — Copy-Pasted RCE Across Frameworks (November 2025)

Source: Oligo Security
Tactics: T14
Impact: Critical RCE in vLLM, TensorRT-LLM, Modular Max Server

Oligo discovered that unsafe ZeroMQ socket patterns using Python's pickle deserialization were literally copy-pasted across major inference frameworks. The same vulnerability pattern appeared in vLLM (CVE-2025-30165, CVSS 8.0), NVIDIA TensorRT-LLM (CVE-2025-23254, CVSS 8.8), and Modular Max Server (CVE-2025-60455). Thousands of exposed ZMQ sockets were found on the public internet.

Key insight: AI infrastructure inherits all traditional software vulnerabilities, amplified by the speed of framework adoption and code reuse without security review.

E.6: 250 Poisoned Documents — Universal Training Backdoor (October 2025)

Source: Turing Institute, Anthropic, UK AISI
Tactics: T6
Impact: Universal backdoor regardless of model size

The largest pretraining poisoning study ever conducted demonstrated that injecting just 250 specially crafted documents into training data is sufficient to backdoor models from 600M to 13B parameters trained on up to 260B tokens. This contradicts the widespread assumption that attackers need to control a meaningful percentage of training data — the actual threshold is negligibly small.

Key insight: The sheer scale of pretraining data works against defenders. 250 documents in billions is a needle in a haystack that training cannot filter out but inference reliably activates.

← Appendix D · Home · Appendix F →

Appendix F: Glossary and References

Glossary

Key References

1. HiddenLayer. "Policy Puppetry: A Universal Jailbreak." April 2025.
2. Zeng et al. "Autonomous LRM Jailbreaking." Nature Communications, August 2025.
3. Xue et al. "PoisonedRAG: Knowledge Corruption Attacks." USENIX Security 2025.
4. Invariant Labs. "MCP-ITP: Tool Poisoning in Agentic Systems." April 2025.
5. Oligo Security. "ShadowMQ: Unsafe Deserialization in AI Inference Frameworks." November 2025.
6. Sherburn et al. "250 Documents: Universal Pretraining Backdoors." Turing Institute/Anthropic/UK AISI, October 2025.
7. Anthropic. "GTG-1002: AI-Orchestrated Cyber Campaign." November 2025.
8. Google DeepMind. "CaMeL: Defeating Prompt Injection by Design." March 2025.
9. Meta. "LlamaFirewall: Open-Source AI Safety Framework." April 2025.
10. MITRE. "ATLAS v4.6.0." October 2025.
11. OWASP. "LLM Top 10 2025." January 2025.
12. OWASP. "Agentic AI Top 10." December 2025.
13. NIST. "Cyber AI Profile (IR 8596) Preliminary Draft." December 2025.
14. European Parliament. "EU AI Act (Regulation 2024/1689)." 2024.
15. Qi et al. "Safety Alignment Depth." Princeton, May 2025.
16. Weng et al. "H-CoT: Hijacking Chain-of-Thought." Duke/Accenture, February 2025.
17. Borghesi et al. "SACRED-Bench: Compositional Audio Attacks." November 2025.

← Appendix E · Home