RAG Index Poisoning
Insert documents into the vector DB whose embeddings rank high for sensitive queries — the model retrieves and trusts attacker content.
§ Where this technique fits
AI-RAG-POISON is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 1 on average.
§ Dossiers chaining this technique
- step 1 / 5
Prompt injection → tool-call shell RCE
Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help.
- step 1 / 5
Indirect prompt injection via RAG document
Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc.
- step 1 / 5
Agent goal hijack via web search
An autonomous agent searches the web and reads tool output. Attacker SEO-poisons / posts a comment that, when fetched, contains 'NEW INSTRUCTION:' the agent obediently follows.
§ What commonly comes next
- 01Valid Accountsseen 2×T1078 · Initial Access
- 02User Executionseen 1×T1204 · Execution