What is the final impact of this kill-chain?

The final step lands on User agent relays to planner agent (AI-AGENT-MULTI), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Multi-agent confused-deputy → tool-call escalation

User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Exfiltration

Tool output exfils host secrets

T1041 · Exfiltration Over C2 Channel

Execution

Code-exec on agent host

T1059 · Command and Scripting Interpreter

Initial Access

Send injection payload to user agent

AI-PROMPT-INJECT · Direct Prompt Injection

Initial Access

Planner trusts relayed content as user intent

AI-INDIRECT-INJECT · Indirect Prompt Injection (RAG / Web)

Execution

Planner invokes shell / fs tool

AI-TOOL-ABUSE · Tool / Function-Call Abuse

Privilege Escalation

User agent relays to planner agent

AI-AGENT-MULTI · Multi-Agent Collusion / Confused Deputy

§ Context

Assumed environment: target deploys an agent stack with role specialisation — front-end agent talks to user, back-end planner / executor with broader tool surface. The two agents trust each other's outputs without re-authorising.

§ Steps

01
Tool output exfils host secretsExfiltration
T1041— Exfiltration Over C2 Channel
02
Code-exec on agent hostExecution
T1059— Command and Scripting Interpreter
03
Send injection payload to user agentInitial Access
AI-PROMPT-INJECT— Direct Prompt Injection
04
Planner trusts relayed content as user intentInitial Access
AI-INDIRECT-INJECT— Indirect Prompt Injection (RAG / Web)
05
Planner invokes shell / fs toolExecution
AI-TOOL-ABUSE— Tool / Function-Call Abuse
06
User agent relays to planner agentPrivilege Escalation
AI-AGENT-MULTI— Multi-Agent Collusion / Confused Deputy

§ References

T1041Exfiltration Over C2 Channel
T1059Command and Scripting Interpreter

§ Frequently asked

What is the "Multi-agent confused-deputy → tool-call escalation" attack path?: User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Tool output exfils host secrets (T1041) — a exfiltration primitive. Assumed environment: target deploys an agent stack with role specialisation — front-end agent talks to user, back-end planner / executor with broader tool surface.
What is the final impact of this kill-chain?: The final step lands on User agent relays to planner agent (AI-AGENT-MULTI), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Multi-agent confused-deputy → tool-call escalation

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Indirect prompt injection via RAG document

Prompt injection → tool-call shell RCE

Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

Agent goal hijack via web search