RAG Poisoning
Type: technique
Description: The adversary injects malicious content into data indexed by a RAG system to contaminate a future thread through RAG-based search results.
Version: 0.1.0
Created At: 2024-12-31 14:18:56 -0500
Last Modified At: 2024-12-31 14:18:56 -0500
External References
- Retrieval-augmented generation., Wikipedia
- BadRAG: Identifying Vulnerabilities in Retrieval Augmented Generation of Large Language Models., arXiv
- ConfusedPilot: Confused Deputy Risks in RAG-based LLMs., arXiv
- PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation of Large Language Models., arXiv
Related Objects
- --> Initial Access (tactic): An adversary can indirectly inject malicious content into a thread by contaminating RAG data.
- --> Johann Rehberger (entity): Demonstrated by
- --> Michael Bargury (entity): Demonstrated by
- --> Tamir Ishay Sharbat (entity): Demonstrated by
- --> Ayush RoyChowdhury (entity): Demonstrated by
- <-- Targeted RAG Poisoning (technique): Targeted RAG Poisoning is a form of RAG Poisoning, crafting malicious content to surface for a specific user query.
- <-- Shared Resource Poisoning (technique): Shared Resource Poisoning is a form of RAG Poisoning, leveraging acquired intra-company access for lateral movement.
- <-- Resource Poisoning (technique): Resource Poisoning is a form of RAG Poisoning, targeting future threads of the same user.
- <-- Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation (procedure): Adversary creates an email with embedded instructions and sends it to victim. The victim interacts with that email through Gemini.
- <-- Microsoft Copilot: From Prompt Injection to Exfiltration of Personal Information (procedure): Copilots gets access to malicious data via email or shared document.