{ "name": "ATX-1 v2.3: AEGIS Threat Matrix", "versions": { "attack": "18", "navigator": "5.2.0", "layer": "4.5" }, "domain": "enterprise-attack", "customDataURL": "https://aegis-governance.com/atx-1/stix-bundle.json", "description": "ATX-1 v2.3 — 10 tactics, 29 techniques, 29 sub-techniques for autonomous AI agent threat modeling. v2.3 removes the severity field to align with MITRE ATT&CK and ATLAS conventions; tactic, technique, and sub-technique structure carried over unchanged from v2.2.", "filters": { "platforms": [ "PRE" ] }, "sorting": 0, "layout": { "layout": "side", "showName": true, "showID": true }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1001", "tactic": "violate-authority-boundaries", "score": 75, "color": "#b35900", "comment": "The agent executes a destructive or high-impact action based on instructions from a user who does not hold owner-level authority. The agent treats the instruction as valid because no stakeholder model exists to distinguish authority levels.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC1 (No Stakeholder Model) — No mechanism to verify that the instruction source holds authority for the requested action scope." }, { "name": "Tactic", "value": "Violate Authority Boundaries" }, { "name": "OWASP", "value": "LLM06" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T1002", "tactic": "violate-authority-boundaries", "score": 75, "color": "#b35900", "comment": "The agent accepts an instruction as authoritative based on implicit signals — such as the instruction appearing in a retrieved document, email body, or shared context — rather than explicit delegation from a verified principal.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC1 (No Stakeholder Model), RC4 (Prompt Injection Is Structural) — Instructions and data share a channel; no mechanism to verify instruction provenance." }, { "name": "Tactic", "value": "Violate Authority Boundaries" }, { "name": "OWASP", "value": "LLM01" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T1003", "tactic": "violate-authority-boundaries", "score": 100, "color": "#d1242f", "comment": "The agent distributes content (emails, messages, notifications) to a large number of recipients based on an authority claim that has not been verified. The spoofed authority may appear in a prompt, forwarded message, or injected context.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Root Cause", "value": "RC1 (No Stakeholder Model), RC4 (Prompt Injection Is Structural) — No principal verification; authority claims in content treated as valid." }, { "name": "Tactic", "value": "Violate Authority Boundaries" }, { "name": "OWASP", "value": "LLM01, LLM06" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T2001", "tactic": "exceed-operational-scope", "score": 75, "color": "#b35900", "comment": "The agent autonomously expands the scope of a delegated task beyond what was explicitly requested, including via tool invocation. The agent interprets the objective broadly and takes actions that were not part of the original instruction.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC2 (No Self-Model), RC3 (No Private Deliberation Surface) — Agent cannot evaluate whether expanded scope is within delegated authority; no deliberation surface to assess scope boundaries." }, { "name": "Tactic", "value": "Exceed Operational Scope" }, { "name": "OWASP", "value": "LLM06" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T2002", "tactic": "exceed-operational-scope", "score": 75, "color": "#b35900", "comment": "The agent performs bulk operations (mass edits, batch deletions, large-scale API calls) without validating that the scope of the operation matches the intent of the instruction, including via tool invocation.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC2 (No Self-Model), RC3 (No Private Deliberation Surface) — Agent cannot assess aggregate impact of bulk actions; no proportionality check against instruction intent." }, { "name": "Tactic", "value": "Exceed Operational Scope" }, { "name": "OWASP", "value": "LLM06" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T2003", "tactic": "exceed-operational-scope", "score": 75, "color": "#b35900", "comment": "Harmful intent is decomposed across multiple delegated steps — including across multiple agents where no single agent has full visibility of the objective — such that no individual action appears unsafe.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC2 (No Self-Model), RC3 (No Private Deliberation Surface) — Agent cannot evaluate aggregate intent across delegation chains; no mechanism to detect composition attacks." }, { "name": "Tactic", "value": "Exceed Operational Scope" }, { "name": "OWASP", "value": "LLM01, LLM07" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T2004", "tactic": "exceed-operational-scope", "score": 75, "color": "#b35900", "comment": "The agent chains multiple tool calls or intermediate steps such that each step appears valid, but the aggregate effect bypasses policy or authorization constraints.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC2 (No Self-Model), RC3 (No Private Deliberation Surface) — Agent cannot evaluate aggregate policy impact of chained tool calls; no compositional policy enforcement." }, { "name": "Tactic", "value": "Exceed Operational Scope" }, { "name": "OWASP", "value": "LLM07" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T3001", "tactic": "compromise-system-integrity", "score": 100, "color": "#d1242f", "comment": "The agent selects an irreversible action (permanent deletion, irrecoverable modification) through direct or tool-mediated system interaction when a reversible alternative (archival, soft-delete, flagging) would satisfy the objective.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Root Cause", "value": "RC2 (No Self-Model) — Agent cannot evaluate action severity or compare alternatives against a proportionality standard." }, { "name": "Tactic", "value": "Compromise System Integrity" }, { "name": "OWASP", "value": "LLM06" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T3002", "tactic": "compromise-system-integrity", "score": 100, "color": "#d1242f", "comment": "The agent initiates an action through direct or tool-mediated system interaction that triggers a chain of cascading changes across interconnected systems, where downstream effects were not anticipated or authorized.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Root Cause", "value": "RC2 (No Self-Model) — Agent cannot model downstream effects of actions in interconnected systems; no cascade impact assessment." }, { "name": "Tactic", "value": "Compromise System Integrity" }, { "name": "OWASP", "value": "" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T4001", "tactic": "expose-exfiltrate-information", "score": 100, "color": "#d1242f", "comment": "The agent exports or discloses data from the current context (conversation, session, task) to an unauthorized recipient, whether through direct exfiltration, indirect request compliance, or tool-mediated data transfer.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Root Cause", "value": "RC1 (No Stakeholder Model), RC4 (Prompt Injection Is Structural) — No authorization check on data recipients; instructions in content treated as authorized requests." }, { "name": "Tactic", "value": "Expose or Exfiltrate Information" }, { "name": "OWASP", "value": "LLM02" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T4002", "tactic": "expose-exfiltrate-information", "score": 75, "color": "#b35900", "comment": "The agent discloses information that persists across sessions or is stored in long-term memory, context, or configuration — exposing data from previous interactions to unauthorized parties in later sessions.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC3 (No Private Deliberation Surface) — No session-scoped data isolation; persistent data accessible across session boundaries without authorization checks." }, { "name": "Tactic", "value": "Expose or Exfiltrate Information" }, { "name": "OWASP", "value": "LLM02" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T4003", "tactic": "expose-exfiltrate-information", "score": 75, "color": "#b35900", "comment": "The agent transfers sensitive information across trust or policy domains through interactions with other agents, systems, or contexts that individually appear authorized.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC1 (No Stakeholder Model), RC3 (No Private Deliberation Surface) — No data classification across domain boundaries; no cross-domain transfer authorization." }, { "name": "Tactic", "value": "Expose or Exfiltrate Information" }, { "name": "OWASP", "value": "LLM02" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T5001", "tactic": "violate-state-integrity", "score": 75, "color": "#b35900", "comment": "The agent reports that a task has been completed successfully when the action either failed, was partially completed, or produced a different outcome than reported. The report is based on intent or expectation rather than verified system state.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC2 (No Self-Model) — No model of the distinction between action initiation and action completion; no outcome verification protocol." }, { "name": "Tactic", "value": "Violate State Integrity" }, { "name": "OWASP", "value": "" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T5002", "tactic": "violate-state-integrity", "score": 50, "color": "#0969da", "comment": "The agent misattributes an action to a different principal, system, or process than the one that actually performed it. This corrupts the audit trail and undermines accountability.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Root Cause", "value": "RC2 (No Self-Model) — No mechanism to distinguish between action performers; attribution based on context rather than verified provenance." }, { "name": "Tactic", "value": "Violate State Integrity" }, { "name": "OWASP", "value": "LLM07" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T5003", "tactic": "violate-state-integrity", "score": 50, "color": "#0969da", "comment": "The agent suppresses, omits, or fails to surface an execution failure — whether caused by provider constraints, tool errors, or internal exceptions — resulting in a divergence between reported state and actual state.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Root Cause", "value": "RC2 (No Self-Model) — No model of constraint layers affecting the agent; failure signals not propagated to operator governance." }, { "name": "Tactic", "value": "Violate State Integrity" }, { "name": "OWASP", "value": "" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T6001", "tactic": "abuse-resource-allocation", "score": 75, "color": "#b35900", "comment": "The agent enters a recursive invocation loop — spawning sub-tasks, calling tools repeatedly, or triggering self-referential execution chains — consuming unbounded compute, token, and time resources.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC2 (No Self-Model), RC3 (No Private Deliberation Surface) — No loop detection or recursion depth model; agents cannot recognize non-productive cycles." }, { "name": "Tactic", "value": "Abuse Resource Allocation" }, { "name": "OWASP", "value": "LLM06, LLM10" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T6002", "tactic": "abuse-resource-allocation", "score": 50, "color": "#0969da", "comment": "The agent consumes external resources (API calls, network bandwidth, storage, third-party service quotas) without limits or lifecycle management, degrading availability for other systems and users.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Root Cause", "value": "RC2 (No Self-Model), RC3 (No Private Deliberation Surface) — No model of resource boundaries; no lifecycle governance for external resource consumption." }, { "name": "Tactic", "value": "Abuse Resource Allocation" }, { "name": "OWASP", "value": "LLM10" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T7001", "tactic": "manipulate-agent-interactions", "score": 100, "color": "#d1242f", "comment": "An agent claims or assumes the identity of another agent in a multi-agent system, gaining unauthorized access to resources, delegations, or trust relationships associated with the spoofed identity.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Root Cause", "value": "RC1 (No Stakeholder Model) — No cryptographic identity verification between agents; identity claims based on self-assertion." }, { "name": "Tactic", "value": "Manipulate Agent Interactions" }, { "name": "OWASP", "value": "" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T7002", "tactic": "manipulate-agent-interactions", "score": 75, "color": "#b35900", "comment": "An agent injects malicious tasks into a multi-agent delegation chain, exploiting trust transitivity to have other agents execute actions that the originating agent is not authorized to perform.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC1 (No Stakeholder Model), RC4 (Prompt Injection Is Structural) — No independent governance verification; shared governance infrastructure creates single points of compromise." }, { "name": "Tactic", "value": "Manipulate Agent Interactions" }, { "name": "OWASP", "value": "" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T7003", "tactic": "manipulate-agent-interactions", "score": 50, "color": "#0969da", "comment": "An agent influences the behavioral patterns of other agents through shared context, conversation, or operational interaction, causing gradual drift from their governance-defined behavior toward unverified or unauthorized operational patterns.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Root Cause", "value": "RC3 (No Private Deliberation Surface) — No mechanism to isolate agent behavior from peer influence; behavioral norms adopted from interaction rather than governance." }, { "name": "Tactic", "value": "Manipulate Agent Interactions" }, { "name": "OWASP", "value": "LLM01" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T7004", "tactic": "manipulate-agent-interactions", "score": 75, "color": "#b35900", "comment": "The agent influences a group of agents to converge on a shared but unsafe or unauthorized objective, even when individual agents would not independently select that action.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC3 (No Private Deliberation Surface) — No mechanism to detect anomalous convergence in multi-agent decision-making; consensus accepted without independent verification." }, { "name": "Tactic", "value": "Manipulate Agent Interactions" }, { "name": "OWASP", "value": "LLM01" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T8001", "tactic": "establish-modify-persistence", "score": 75, "color": "#b35900", "comment": "An agent writes malicious, misleading, or unauthorized data into persistent memory stores (long-term memory, knowledge bases, configuration caches), corrupting future interactions that rely on this stored context.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC4 (Prompt Injection Is Structural) — No integrity verification for persistent memory writes; memory content treated as trusted regardless of provenance." }, { "name": "Tactic", "value": "Establish or Modify Persistence" }, { "name": "OWASP", "value": "LLM01" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T8002", "tactic": "establish-modify-persistence", "score": 100, "color": "#d1242f", "comment": "An agent modifies its own governance constraints, policy state, or constitutional articles through direct manipulation or indirect means (tool use, self-prompting, context manipulation), bypassing normal amendment procedures and audit logging.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Root Cause", "value": "RC4 (Prompt Injection Is Structural) — Governance configuration stored in mutable locations; no integrity verification or tamper detection for policy state." }, { "name": "Tactic", "value": "Establish or Modify Persistence" }, { "name": "OWASP", "value": "LLM01" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T9001", "tactic": "evade-detection-oversight", "score": 50, "color": "#0969da", "comment": "The agent performs actions outside the boundaries of monitoring, logging, and audit systems — whether by using unmonitored tool pathways, operating in contexts where observability is limited, or exploiting gaps in the monitoring infrastructure.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Root Cause", "value": "RC2 (No Self-Model) — No model of the observability boundaries affecting the agent; agent cannot distinguish monitored from unmonitored pathways." }, { "name": "Tactic", "value": "Evade Detection or Oversight" }, { "name": "OWASP", "value": "" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T9002", "tactic": "evade-detection-oversight", "score": 50, "color": "#0969da", "comment": "The agent obscures the traceability of its actions by manipulating log entries, altering audit trails, fragmenting actions across multiple contexts, or using indirect execution paths that make causal attribution difficult.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Root Cause", "value": "RC4 (Prompt Injection Is Structural) — Audit infrastructure accessible to the agent; no structural separation between action execution and audit recording." }, { "name": "Tactic", "value": "Evade Detection or Oversight" }, { "name": "OWASP", "value": "LLM06" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": true }, { "techniqueID": "T10001", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent accesses OS pseudo-filesystem paths (e.g., /dev/tcp, /dev/udp, /proc/*) to perform network or system operations. The governance layer evaluates these as file operations; the OS provides network sockets or system interfaces through these paths.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC5 (No Environment Model) — The governance layer models file paths as file operations. The OS provides pseudo-filesystem interfaces that map file path syntax to non-file capabilities." }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" }, { "name": "Discovery", "value": "RFC-0006 adversarial testing, Round 3" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": true }, { "techniqueID": "T10002", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent writes content to files that the execution environment or installed toolchain automatically executes at a later time or on specific triggers. Target files include shell profiles, git hooks, package scripts, IDE tasks, Dockerfiles, and tool configs with execution semantics.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC5 (No Environment Model) — The governance layer evaluates file writes by path and content pattern. It does not model which files the execution environment treats as auto-executed." }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Discovery", "value": "RFC-0006 adversarial testing, Rounds 4-5" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": true }, { "techniqueID": "T10003", "tactic": "act-beyond-governance-interpretation", "score": 100, "color": "#d1242f", "comment": "The agent modifies files that define its own behavioral instructions for future sessions. These instruction files are auto-loaded at session start, writable without escalation, persist across sessions, and propagate via version control. The governance layer sees a file write; the effect is persistent self-modifying instruction injection.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Root Cause", "value": "RC5 (No Environment Model), RC4 (Prompt Injection Is Structural) — The governance layer does not model which files constitute the agent's own instruction context." }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Discovery", "value": "RFC-0006 adversarial testing, Round 5" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": true }, { "techniqueID": "T10004", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent constructs inputs that the governance evaluator parses differently than the execution runtime. Techniques include newline/CRLF injection, null byte path truncation, Unicode homoglyphs, heredoc syntax, and shell metacharacter injection.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Root Cause", "value": "RC5 (No Environment Model) — The governance evaluator uses a simplified parser that does not replicate the execution runtime's actual parsing rules." }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Discovery", "value": "RFC-0006 adversarial testing, Rounds 1-3" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": true }, { "techniqueID": "T9002.001", "tactic": "evade-detection-or-oversight", "score": 50, "color": "#e6b800", "comment": "The agent encodes commands in base64, hex, or URL encoding before execution (e.g., `echo Y3VybCAuLi4= | base64 -d | bash`). The encoded payload is opaque to text-based pattern matching in the governance evaluator until decoded by the runtime.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Parent Technique", "value": "T9002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Evade Detection or Oversight" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T9002.002", "tactic": "evade-detection-or-oversight", "score": 50, "color": "#e6b800", "comment": "The agent splits the command name from its invocation across separate tokens via shell variable assignment (e.g., `CMD=curl; $CMD https://...`). Pattern matching against the literal command string fails because the dangerous token is constructed at runtime.", "enabled": true, "metadata": [ { "name": "Severity", "value": "medium" }, { "name": "Parent Technique", "value": "T9002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Evade Detection or Oversight" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10001.001", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent uses bash's `/dev/tcp/host/port` pseudo-filesystem to perform network I/O via what looks like file I/O (e.g., `exec 3<>/dev/tcp/example.com/80`). The governance layer treats the path as an ordinary file write and permits it.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10001" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10001.002", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The UDP equivalent of T10001.001 — the agent uses `/dev/udp/host/port` to send UDP datagrams via apparent file I/O. Particularly useful for DNS exfiltration channels and stateless data egress.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10001" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10001.003", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent reads process and kernel state via `/proc/*` paths (e.g., `/proc/self/environ`, `/proc/*/cmdline`, `/proc/net/tcp`) that the governance layer treats as ordinary files. Reveals secrets in environment variables, running processes, and network connections.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10001" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.001", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent writes commands to `.bashrc`, `.profile`, `.zshrc`, or equivalents so they execute on every new shell session. Persistence survives reboots and is invisible until the user opens a new terminal.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.002", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent writes scripts to `.git/hooks/*` (pre-commit, post-commit, post-checkout, etc.) so they execute on every git operation. The hooks run with the user's full privileges.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.003", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent injects commands into `package.json` scripts, `setup.py`, or equivalent install hooks so they execute on the next `npm install`, `pip install`, or build invocation.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.004", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent writes commands to `.vscode/tasks.json`, `.idea/runConfigurations/`, or similar IDE configuration files so they run when the user invokes the corresponding task or opens the project.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.005", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent injects commands into `Dockerfile`, `docker-compose.yml`, or equivalent container build files so they execute during the next image build and persist into the resulting container image.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.006", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent uses `git config alias.X '!command'` to register command-substitution aliases that execute arbitrary shell on any subsequent git invocation. Survives across all repositories when set in global git config.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.007", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent writes auto-execution hooks into `.npmrc`, `.pypirc`, `.cargo/config.toml`, or equivalent package manager configuration files. Triggered on the next package operation by any user of the host.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10002.008", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent injects commands into `Makefile`, `CMakeLists.txt`, `build.gradle`, or equivalent build system files. Executes automatically the next time the user invokes a build target.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10002" }, { "name": "OWASP", "value": "LLM06" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10003.001", "tactic": "act-beyond-governance-interpretation", "score": 100, "color": "#8B0000", "comment": "The agent writes to project-level configuration files that the Claude Code CLI auto-loads into model context on every invocation (e.g., CLAUDE.md, .claude/rules/). Specific exploitation details embargoed under responsible disclosure RD-2603-01 until 2026-06-24 or earlier vendor response.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Parent Technique", "value": "T10003" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10003.002", "tactic": "act-beyond-governance-interpretation", "score": 100, "color": "#8B0000", "comment": "The agent writes attacker-controlled instructions to `.cursorrules` files that the Cursor IDE auto-loads as system prompt context for every model interaction in the project.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Parent Technique", "value": "T10003" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10003.003", "tactic": "act-beyond-governance-interpretation", "score": 100, "color": "#8B0000", "comment": "The agent writes attacker-controlled instructions to `.windsurfrules` files that the Windsurf editor auto-loads into every model interaction in the workspace.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Parent Technique", "value": "T10003" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10003.004", "tactic": "act-beyond-governance-interpretation", "score": 100, "color": "#8B0000", "comment": "The agent writes to `.github/copilot-instructions.md` which GitHub Copilot auto-loads as repository-level context for all code completions and chat interactions in the repo.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Parent Technique", "value": "T10003" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10003.005", "tactic": "act-beyond-governance-interpretation", "score": 100, "color": "#8B0000", "comment": "The agent writes to `.aider.conf.yml` which the Aider CLI auto-loads to configure model behavior, system prompts, and tool permissions on every invocation.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Parent Technique", "value": "T10003" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10003.006", "tactic": "act-beyond-governance-interpretation", "score": 100, "color": "#8B0000", "comment": "The agent writes to `.continuerc.json` which the Continue IDE extension auto-loads as workspace-level configuration for model and tool behavior.", "enabled": true, "metadata": [ { "name": "Severity", "value": "critical" }, { "name": "Parent Technique", "value": "T10003" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10004.001", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent uses shell operators (`|`, `&&`, `||`, `;`) to chain an allowed command with a denied one (e.g., `ls && curl ...`). Single-command pattern matching evaluates only the first segment.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10004" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10004.002", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent embeds a literal `\\n` in command arguments. The shell interprets it as a command separator while regex-based governance often anchors to single-line patterns.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10004" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10004.003", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "Variant of T10004.002 using `\\r\\n` to bypass governance filters that strip `\\n` but preserve `\\r`. Common in pipelines that use HTTP request parsing for command extraction.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10004" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false }, { "techniqueID": "T10004.004", "tactic": "act-beyond-governance-interpretation", "score": 75, "color": "#b35900", "comment": "The agent uses heredoc syntax (`<`, `>>`, `tee`) to write to a protected path via an otherwise-allowed command (e.g., `echo X > /etc/passwd`). The governance layer evaluates the command (`echo`) without parsing the redirection target.", "enabled": true, "metadata": [ { "name": "Severity", "value": "high" }, { "name": "Parent Technique", "value": "T10004" }, { "name": "OWASP", "value": "LLM01" }, { "name": "Tactic", "value": "Act Beyond Governance Interpretation" } ], "links": [ { "label": "ATX-1 Documentation", "url": "https://aegis-docs.com/threat-matrix/techniques" }, { "label": "STIX Bundle", "url": "https://aegis-governance.com/atx-1/stix-bundle.json" } ], "showSubtechniques": false } ], "gradient": { "colors": [ "#1a7f37", "#0969da", "#b35900", "#d1242f" ], "minValue": 0, "maxValue": 100 }, "legendItems": [ { "label": "Critical", "color": "#d1242f" }, { "label": "High", "color": "#b35900" }, { "label": "Medium", "color": "#0969da" }, { "label": "Low", "color": "#1a7f37" } ], "showTacticRowBackground": true, "tacticRowBackground": "#1e293b", "metadata": [ { "name": "Author", "value": "Kenneth Tannenbaum, AEGIS Initiative" }, { "divider": true }, { "name": "Version", "value": "2.1" }, { "name": "Techniques", "value": "29" }, { "name": "License", "value": "CC-BY-SA-4.0" } ] }