Prompt injection → tool-call shell RCE

§ Context

Assumed environment: target uses an agent (Copilot Workspace, Cursor, custom) with permissive tool access. Developer cloned a repo containing attacker-controlled markdown that the agent reads as 'context'.

§ Steps

1. 01
   Reverse shell on developer workstationExecution

   T1059— Command and Scripting Interpreter
2. 02
   Developer clones + asks agent for helpExecution

   T1204— User Execution
3. 03
   Agent reads README as project contextInitial Access

   AI-INDIRECT-INJECT— Indirect Prompt Injection (RAG / Web)
4. 04
   Publish repo with hidden README instructionsPersistence

   AI-RAG-POISON— RAG Index Poisoning
5. 05
   Agent calls shell tool with attacker argsExecution

   AI-TOOL-ABUSE— Tool / Function-Call Abuse

§ References

• T1059Command and Scripting Interpreter
• T1204User Execution

§ Frequently asked

What is the "Prompt injection → tool-call shell RCE" attack path?

Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Reverse shell on developer workstation (T1059) — a execution primitive. Assumed environment: target uses an agent (Copilot Workspace, Cursor, custom) with permissive tool access.

What is the final impact of this kill-chain?

The final step lands on Agent calls shell tool with attacker args (AI-TOOL-ABUSE), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Multi-agent confused-deputy → tool-call escalation

  User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.

• Shared techniques3

  Indirect prompt injection via RAG document

  Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc.

• Shared techniques3

  Agent goal hijack via web search

  An autonomous agent searches the web and reads tool output. Attacker SEO-poisons / posts a comment that, when fetched, contains 'NEW INSTRUCTION:' the agent obediently follows.

• Shared techniques2

  Compromised vendor mailbox → reply-chain phishing → client compromise

  Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.

• Shared techniques2

  USB drop in parking lot → HID payload → C2

  Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2.

• Shared techniques2

  Gatekeeper bypass → unsigned binary execution

  Deliver a payload that strips the com.apple.quarantine xattr (via .dmg with no quarantine attribute or an archive format that doesn't preserve xattrs) — Gatekeeper never prompts.