Tool / Function-Call Abuse
Agentic LLM has tools (shell, file, HTTP). Prompt injection in user input or RAG context invokes tools with attacker-chosen arguments.
§ Where this technique fits
AI-TOOL-ABUSE is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 4 on average.
§ Dossiers chaining this technique
- step 4 / 6
Multi-agent confused-deputy → tool-call escalation
User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.
- step 4 / 5
Prompt injection → tool-call shell RCE
Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help.
- step 4 / 5
Indirect prompt injection via RAG document
Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc.
- step 4 / 5
Agent goal hijack via web search
An autonomous agent searches the web and reads tool output. Attacker SEO-poisons / posts a comment that, when fetched, contains 'NEW INSTRUCTION:' the agent obediently follows.
§ What commonly comes next
- 01Command and Scripting Interpreterseen 3×T1059 · Execution
- 02Exfiltration Over C2 Channelseen 1×T1041 · Exfiltration