the LLM ATT&CK
navigator.

T1589 — Gather Victim Identity Info · High uplift

LLMs collapse hours of manual OSINT into seconds — correlating leaked records, social graphs and public filings into a ranked target dossier, then drafting the angle of approach.

Field signal: GTIG and model-provider reports attribute live victim-research use to multiple state-linked actors.

Defence: Reduce public attack surface; monitor for unusual enumeration of staff identity data and credential-stuffing precursors.

T1598 — Phishing for Information · High uplift

Pretext generation is near-free. Models produce fluent, context-aware, locally idiomatic elicitation messages tuned to a specific role or vendor relationship.

Field signal: Provider disclosures show actors iterating lures and translations through commercial and jailbroken models.

Defence: Out-of-band verification for any information request; brief staff that fluency is no longer a tell.

T1591 — Gather Victim Org Information · Moderate uplift

Summarisation of sprawling corporate footprints — supply chains, tooling, org charts — into an exploitable map.

Field signal: Routinely observed as a productivity aid rather than a novel capability.

Defence: Govern what business detail is exposed in job ads, repos and vendor pages.

T1585 — Establish Accounts (Synthetic Personas) · Critical uplift

Generative media manufactures convincing personas at scale — coherent histories, voice, video and writing style — enabling long-con infiltration and fraudulent employment.

Field signal: Nation-state insider-placement campaigns increasingly lean on AI-forged identities and deepfake-assisted interviews.

Defence: Liveness and provenance checks in hiring and KYC; treat remote-only identity assurance as a control, not a formality.

T1587 — Develop Capabilities (Malware) · High uplift

Models scaffold tooling, port exploits between languages and explain unfamiliar code — compressing the skill and time floor for capable-enough malware.

Field signal: Jailbroken 'dark' LLM services are marketed specifically for malware and BEC support.

Defence: Assume faster variant turnover; weight behavioural detection over signature freshness.

T1588 — Obtain Capabilities · Moderate uplift

Faster triage of which public exploits and tools fit a given target stack.

Field signal: Incremental efficiency gain.

Defence: Patch velocity on internet-facing assets remains the dominant control.

T1566 — Phishing · Critical uplift

The best-evidenced uplift anywhere on this matrix. Flawless grammar, per-recipient tailoring and volume together push campaign success rates up while erasing the classic linguistic red flags.

Field signal: Microsoft/OpenAI and ENISA reporting tie measurable improvements in large-scale phishing to generative tooling.

Defence: Phishing-resistant MFA (FIDO2); move detection from content heuristics to behaviour, sender reputation and protocol signals.

T1566.004 — Spearphishing Voice (Vishing) · Critical uplift

Real-time voice cloning turns help-desk and approval workflows into a fast foothold that sidesteps endpoint controls entirely.

Field signal: Deepfake-assisted help-desk fraud is now a recurring root cause in major intrusions.

Defence: Callback verification, code phrases and hard limits on what voice alone can authorise.

T1199 — Trusted Relationship · Moderate uplift

AI sharpens the pretext for abusing a partner or supplier channel, though access still hinges on the underlying trust path.

Field signal: Supporting role within social-engineering chains.

Defence: Scope and monitor third-party access; least privilege on federated trust.

T1059 — Command & Scripting Interpreter · High uplift

Malware can generate its commands on-demand from a model at runtime, fitting actions to the exact host it lands on rather than shipping fixed scripts.

Field signal: LAMEHUG issues live LLM queries to synthesise system commands tailored to the local environment.

Defence: Constrain interpreter use; alert on processes reaching out to LLM provider endpoints unexpectedly.

T1204 — User Execution · Moderate uplift

More persuasive decoys and instructions raise the odds a user runs the payload.

Field signal: Amplifies the social half of the chain.

Defence: Application control and MOTW enforcement on delivered content.

T1106 — Native API · Emerging uplift

Marginal — AI helps author the code, but the technique itself is unchanged.

Field signal: Low direct uplift.

Defence: Standard EDR behavioural coverage.

T1136 — Create Account · Moderate uplift

AI helps craft plausible account names and supporting artefacts that blend into directory noise.

Field signal: Supporting, not transformative.

Defence: Alert on new privileged accounts; tie creation to change tickets.

T1547 — Boot/Logon Autostart · Emerging uplift

Code-authoring help only; mechanics are well-trodden and well-detected.

Field signal: Low direct uplift.

Defence: Baseline autostart locations and monitor for drift.

T1068 — Exploitation for Priv-Esc · Moderate uplift

Models accelerate vulnerability research and PoC drafting, but reliable end-to-end exploitation under real conditions is still uneven — a research aid more than an autonomous capability.

Field signal: Academic agents show progress on guided exploitation; field reliability lags the demos.

Defence: Privilege hygiene and rapid patching blunt most of the gain.

T1548 — Abuse Elevation Control · Emerging uplift

Minimal change to a heavily-instrumented technique.

Field signal: Low direct uplift.

Defence: Enforce UAC/sudo policy; monitor elevation events.

T1027 — Obfuscated / Polymorphic Code · Critical uplift

A genuinely novel pattern: malware that calls an LLM to rewrite or regenerate its own code each run, defeating static signatures by never holding still.

Field signal: PROMPTFLUX morphs itself via live model queries; PROMPTSTEAL/LAMEHUG query LLMs mid-execution.

Defence: Lean on runtime behaviour and egress analysis; flag binaries that contact model APIs.

T1059.LOTL — AI-Assisted Living-off-the-Land · High uplift · ankya synthetic ID

Models generate native commands shaped to mimic legitimate admin activity, raising the cost of separating malicious from routine.

Field signal: Forecast and early-observed as a 2026 evasion staple.

Defence: Command-line telemetry with anomaly baselining; constrain admin tooling reach.

T1620 — Reflective Code Loading · Moderate uplift

AI eases in-memory loader development but detection surface is unchanged.

Field signal: Indirect uplift.

Defence: Memory-scanning EDR and AMSI coverage.

T1110 — Brute Force · Moderate uplift

ML-guided guessing and smarter wordlist generation improve hit-rates against weak and reused secrets.

Field signal: Identity remains the dominant intrusion vector; passwords still anchor most identity attacks.

Defence: Phishing-resistant MFA, passkeys and breached-password screening.

T1056 — Input Capture · Emerging uplift

Little change to the technique itself.

Field signal: Low direct uplift.

Defence: EDR keylogger detection; isolate credential entry.

T1083 — File & Directory Discovery · Moderate uplift

Once inside, models triage vast collections quickly — surfacing the crown-jewel data among noise far faster than manual review.

Field signal: Reported abuse of AI inside compromised environments to find what matters.

Defence: Data classification and access logging on sensitive stores.

T1087 — Account Discovery · Moderate uplift

Summarisation of directory and group structure into an attack path.

Field signal: Efficiency gain within hands-on-keyboard operations.

Defence: Tiered admin model; monitor directory enumeration.

T1057 — Process Discovery · Emerging uplift

Marginal.

Field signal: Low direct uplift.

Defence: Standard host telemetry.

T1021 — Remote Services · Moderate uplift

Research shows LLM agents can plan and partly execute multi-host movement; reliability and stealth in real networks remain the gating factors.

Field signal: Feasibility demonstrated in controlled multi-host studies.

Defence: Segmentation, just-in-time access and east-west monitoring.

T1210 — Exploitation of Remote Services · Moderate uplift

AI-accelerated exploit selection feeds movement, bounded by the same exploitation-reliability ceiling.

Field signal: Emerging.

Defence: Internal patching and service hardening.

T1119 — Automated Collection · High uplift

Models prioritise and summarise as they gather — turning bulk theft into curated, intelligence-led collection of the highest-value material first.

Field signal: Attackers reported using LLMs to mine stolen data for what is worth taking.

Defence: DLP on egress; honeytokens in sensitive repositories.

T1114 — Email Collection · Moderate uplift

Rapid synthesis of mailbox contents into actionable leverage or onward pretexts.

Field signal: Supporting capability.

Defence: Mailbox access auditing; anomalous bulk-read alerts.

T1213 — Data from Information Repositories · Moderate uplift

Semantic search across wikis and ticketing turns sprawl into targeted extraction.

Field signal: Efficiency gain.

Defence: Least privilege and logging on knowledge stores.

T1102 — Web Service (LLM API as Channel) · High uplift

Legitimate model-provider APIs double as a covert decision-and-command channel — traffic to a trusted AI endpoint looks unremarkable and rides existing allow-lists.

Field signal: PROMPTFLUX / LAMEHUG-class malware reach back to public LLM APIs at runtime.

Defence: Treat model-API egress as sensitive; baseline which hosts should ever talk to it.

T1071 — Application Layer Protocol · Moderate uplift

AI assists in shaping protocol-blending traffic, though the channel concept is established.

Field signal: Indirect uplift.

Defence: Egress filtering and JA3/protocol anomaly detection.

T1573 — Encrypted Channel · Emerging uplift

Unchanged at the crypto layer.

Field signal: Low direct uplift.

Defence: TLS inspection where lawful; certificate hygiene.

T1567 — Exfil Over Web Service · Moderate uplift

AI helps choose and blend with high-trust services; the staging benefits more than the transfer.

Field signal: Modest direct uplift.

Defence: CASB and egress DLP on sanctioned SaaS.

T1041 — Exfil Over C2 Channel · Emerging uplift

Mechanically unchanged.

Field signal: Low direct uplift.

Defence: Volume and beaconing analytics.

T1491 — Defacement / Influence Operations · High uplift

Generative text, image and video industrialise disinformation and brand-impersonation at a scale and believability that manual production never reached.

Field signal: A leading driver of the rise in reported generative-AI harm incidents.

Defence: Content provenance, rapid takedown channels and executive-impersonation monitoring.

T1486 — Data Encrypted for Impact (Ransomware) · Moderate uplift

AI streamlines target triage, negotiation drafting and operational tempo rather than the encryption itself.

Field signal: Productivity layer across the ransomware lifecycle.

Defence: Immutable backups, segmentation and tested recovery.

T1565 — Data Manipulation · Moderate uplift

Convincing fabricated records and tampering at scale become cheaper to author.

Field signal: Emerging integrity-attack concern.

Defence: Integrity monitoring and strong audit trails on systems of record.

AML.T0014 — Discover Model Family / Ontology · Moderate severity

Adversaries probe a deployed system to infer the underlying model, guardrail style and capability envelope before committing to an attack path.

Field signal: Standard precursor in modern LLM red-team workflows.

Defence: Limit verbose error and version disclosure; rate-limit probing patterns.

AML.T0015 — Evade ML Model · High severity

Crafted inputs push a classifier or detector to the wrong side of its decision boundary — bypassing content filters, malware scanners or biometric checks.

Field signal: A core, well-studied adversarial-ML class spanning evasion attacks.

Defence: Adversarial training, ensembling and out-of-distribution detection.

AML.T0051 — Prompt Injection (Direct) · Critical severity

User-supplied instructions override the system's intent, coaxing the model past its guardrails or into unintended actions — the defining vulnerability class of the LLM era.

Field signal: Microsoft/OpenAI explicitly track prompt-injection attempts against deployed systems.

Defence: Privilege separation between instructions and data; deny-by-default tool gating; output mediation.

AML.T0051.i — Indirect Prompt Injection · Critical severity

Malicious instructions hide inside content the model later ingests — a web page, document, email or RAG record — and execute when the agent reads them.

Field signal: Self-propagating prompt worms (Morris II) demonstrate cross-agent spread via injected content.

Defence: Treat all retrieved content as untrusted; sandbox tool use; strip and quarantine active instructions.

AML.T0010 — ML Supply Chain Compromise · High severity

Poisoned weights, tampered datasets, trojaned model hubs or malicious dependencies introduce backdoors before the system is ever deployed.

Field signal: Repeated discovery of malicious models and packages on public hubs.

Defence: Provenance, signing and SBOM for models and data; scan artefacts on ingest.

AML.T0020 — Poison Training Data · High severity

Manipulated training or fine-tuning data implants targeted misbehaviour or backdoor triggers that survive into production.

Field signal: One of NIST's four canonical adversarial-ML categories.

Defence: Data curation, influence analysis and anomaly screening on training pipelines.

AML.RAG — RAG Poisoning · High severity · ankya synthetic ID

Adversaries seed the retrieval corpus so the model confidently serves attacker-chosen content or instructions — persistent, because it lives in the knowledge base, not the prompt.

Field signal: Added to ATLAS in 2025 alongside false-entry and retrieval-crafting techniques.

Defence: Authenticate and review corpus sources; integrity-check vector stores; constrain what retrieval can authorise.

AML.MEM — Memory Manipulation · Moderate severity · ankya synthetic ID

Tampered long-term agent memory carries malicious state across sessions, quietly steering future behaviour.

Field signal: Agent-focused techniques expanded in recent ATLAS releases.

Defence: Scope, validate and expire agent memory; isolate per-tenant state.

AML.T0024 — Exfil via ML Inference API · High severity

Carefully shaped queries pull training data, system prompts or secrets back out through the model's own outputs.

Field signal: Membership-inference and prompt-leak demonstrations are well established.

Defence: Output filtering, query monitoring and minimisation of sensitive context exposure.

AML.T0044 — Extract / Replicate Model · Moderate severity

Systematic querying clones a model's behaviour — a distillation attack that steals the IP and logic of a high-value model.

Field signal: Distillation-style theft flagged across recent frontline reporting.

Defence: Rate-limit, watermark outputs and detect extraction-shaped query volume.

AML.T0029 — Denial of ML Service · Moderate severity

Inputs engineered to maximise compute (sponge examples) or flood inference exhaust capacity and run up cost.

Field signal: Documented availability and cost-attack class.

Defence: Input cost budgeting, throttling and autoscaling guardrails.

AML.T0034 — Cost Harvesting · Moderate severity

Abuse of a victim's hosted model or agent to run the attacker's workloads on the victim's bill.

Field signal: Recognised abuse-attack category.

Defence: Per-tenant quotas, anomaly billing alerts and strong auth on inference endpoints.

AML.INT — Erode Model Integrity · Moderate severity · ankya synthetic ID

Sustained manipulation degrades trust in a model's outputs, corrupting downstream decisions that rely on it.

Field signal: Forward-looking integrity concern in agentic deployments.

Defence: Continuous evaluation, drift detection and human review on consequential outputs.