Red Specter DELEGATE

Agent Identity & OAuth Delegation Attack Engine — Tool 58 of the NIGHTFALL offensive framework. 7 subsystems. 253 tests. CVE-2026-32173.

v1.0.0

Contents

Overview The 7 Subsystems Subsystem Details CLI Reference Attack Chain Vulnerability References Report Output Key Features Requirements The Pipeline WARLORD Integration DELEGATE UNLEASHED Disclaimer

Overview

Red Specter DELEGATE is an agent identity and OAuth delegation attack engine. Non-human identities now outnumber human identities 500:1 in enterprise AI deployments. Most are long-lived, over-permissioned, and completely invisible to standard IAM tooling. DELEGATE maps this surface, then exploits it systematically — OBO scope confusion, DPoP nonce races, Vertex AI P4SA takeover, JWT algorithm confusion, SignalR hub injection — proving what an attacker can do before they do it.

DELEGATE provides 7 subsystems under a single CLI (delegate-tool), 253 tests, and Ed25519-signed WARLORD-compatible reports. CVE-2026-32173 (CVSS 8.6) is the primary exploitation vector.

DELEGATE is Tool 58 of the NIGHTFALL offensive pipeline — 59 tools covering every layer of the AI attack surface. DELEGATE findings feed directly into WARLORD autonomous campaign orchestration and AI Shield runtime protection for NHI attack detection.

The 7 Subsystems

#	Subsystem	Command	What It Does
01	OBSERVE	delegate-tool observe	NHI infrastructure mapping — service accounts, API keys, agent tokens, OAuth grants, scope analysis
02	SUBSTITUTE	delegate-tool substitute	OBO scope confusion exploitation (CVE-2026-32173) — low-privilege to high-privilege token exchange
03	FORGE	delegate-tool forge	JWT algorithm confusion — RS256 public key as HS256 secret, arbitrary token claim forgery
04	ESCALATE	delegate-tool escalate	Vertex AI P4SA takeover — IAM impersonation for project-wide model and dataset access
05	REPLAY	delegate-tool replay	DPoP nonce race exploitation — proof reuse within validation window, token binding bypass
06	IMPERSONATE	delegate-tool impersonate	NHI credential harvest at scale — agent workload impersonation, SignalR hub injection, fleet pivot
07	REPORT	delegate-tool report	Ed25519-signed reports — JSON (WARLORD-compatible), Markdown, CVE mapping, escalation chains

Subsystem Details

01 OBSERVE delegate-tool observe PASSIVE — ANALYSIS

Maps non-human identity infrastructure without triggering any attack actions. Discovers service accounts, API keys, agent tokens, OAuth grants, and their permission scope. Identifies long-lived credentials (unrotated >30 days), over-permissioned identities (scope exceeds actual usage), and NHI sprawl invisible to standard IAM tooling.

Service Account Discovery — enumerates GCP, Azure, and AWS service accounts with binding analysis
API Key Surface Map — discovers API keys across configuration stores, environment variables, and code repositories
OAuth Grant Audit — maps delegated permissions, consent scopes, and grant ages
Token Lifetime Analysis — flags long-lived credentials and missing rotation policies
Scope Excess Scoring — scores each identity by the gap between granted and required permissions
NHI:Human Ratio — calculates the non-human identity density for the target environment

Output: structured NHI inventory consumed by all downstream attack subsystems and REPORT.

02 SUBSTITUTE delegate-tool substitute UNLEASHED --override

Exploits CVE-2026-32173 — Azure SignalR OBO scope confusion. The On-Behalf-Of flow fails to validate that the requested resource scope matches the original token's intended audience. SUBSTITUTE presents a low-privilege agent token and requests an OBO exchange for any resource the identity provider trusts.

CVE-2026-32173 — CVSS 8.6 — scope validation bypass in Azure SignalR OBO flow
Low-privilege input token can request exchange for any trusted resource scope
No consent prompt triggered during escalation
No audit event raised in Azure AD / Entra ID logs
Validated against: Azure Key Vault, Microsoft Graph, storage, and custom resource targets

Requires UNLEASHED --override flag and valid Ed25519 key.

03 FORGE delegate-tool forge UNLEASHED --override

JWT algorithm confusion attack. Agents that accept RS256-signed JWTs and also accept HS256 can be attacked by substituting the RS256 public key as the HMAC secret. The attacker produces a validly-signed HS256 token using only the public key — which is not secret.

Extracts RS256 public key from JWKS endpoint or token header
Re-signs token with the public key as HS256 HMAC secret
Generates tokens with arbitrary sub, scope, roles, and exp values
Tests whether the target validates against both RS256 and HS256 before proceeding
Confirms successful forgery by replaying the forged token against a protected endpoint

Requires UNLEASHED --override flag and valid Ed25519 key.

04 ESCALATE delegate-tool escalate UNLEASHED --override

Vertex AI P4SA (per-project service account) takeover. Exploits misconfigured IAM bindings to impersonate the P4SA, gaining access to all Vertex AI resources in the target GCP project. Based on Unit 42 Double Agent research.

Scans GCP IAM bindings for workloads with iam.serviceAccounts.actAs on the P4SA
Generates access tokens with P4SA identity using the agent workload service account
Maps accessible Vertex AI resources: models, endpoints, datasets, pipelines, and jobs
Enumerates adjacent GCP resources reachable from P4SA permissions (Cloud Storage, BigQuery)
Tests for lateral movement to other service accounts the P4SA can impersonate

Requires UNLEASHED --override flag and valid Ed25519 key.

05 REPLAY delegate-tool replay UNLEASHED --override

DPoP (Demonstrating Proof of Possession) nonce race condition exploitation. DPoP-bound tokens include a server-generated nonce to prevent replay. A race condition in the nonce validation window allows proof reuse before expiry, defeating the binding mechanism.

Captures a valid DPoP proof token during agent authentication
Maps the nonce validation window timing through controlled requests
Races duplicate requests within the window to confirm nonce reuse acceptance
Replays captured agent authentication flows against DPoP-protected endpoints
Tests token binding assumptions across OAuth 2.0 identity stacks
Validates against Azure AD, Okta, and custom OAuth 2.0 implementations

Requires UNLEASHED --override flag and valid Ed25519 key.

06 IMPERSONATE delegate-tool impersonate UNLEASHED --override --confirm-destroy

NHI credential harvest at scale. IMPERSONATE chains discovered NHI credentials, forged tokens, and escalated identities to impersonate agent workloads across the fleet. One compromised identity becomes every identity.

Combines OBSERVE inventory with FORGE token outputs and ESCALATE P4SA access
Authenticates as target agent workloads using harvested or forged credentials
Injects commands via SignalR hubs — received by other agents as legitimate orchestration
Pivots from one compromised agent identity across the connected agent fleet
Maps the full blast radius of a single NHI compromise

Requires UNLEASHED --override --confirm-destroy flags and valid Ed25519 key.

07 REPORT delegate-tool report ALL MODES

Ed25519-signed, SHA-256-hashed reports in JSON and Markdown. Every finding includes CVE mapping, token forge parameters, escalation chain documentation, and a WARLORD handoff receipt for autonomous campaign continuation.

JSON report — WARLORD-compatible machine-ingestible format
Markdown report — human-readable executive summary with evidence appendix
NHI inventory — full discovered identity surface with risk scores
CVE mapping — each finding linked to its reference (CVE-2026-32173, DPOP-RACE-001, UNIT42-DOUBLEAGENT, JWT-ALG-CONF)
Escalation chains — documented pivot paths from initial identity to maximum access
WARLORD handoff receipt — structured handoff for autonomous follow-on campaign sequencing
Ed25519 signature — SHA-256 hash of report content, signed with operator private key

CLI Reference

OBSERVE

$ delegate-tool observe --target <URL> [--deep]

SUBSTITUTE

$ delegate-tool substitute --target <URL> --token <token> --resource <res> [--override]
    

FORGE

$ delegate-tool forge --token <jwt> --alg hs256 [--override]

ESCALATE

$ delegate-tool escalate --project <id> [--override]

REPLAY

$ delegate-tool replay --token <dpop-proof> --target <URL> [--override]

IMPERSONATE

$ delegate-tool impersonate --identity <id> --target <URL> [--override] [--confirm-destroy]
    

REPORT

$ delegate-tool report --input <scan.json> [--format md|json]

Global Options

  --target, -t          Target URL or cloud project identifier
  --output, -o          Output directory [default: reports]
  --sign / --no-sign    Ed25519 signing [default: sign]
  --keys-dir            Keys directory for UNLEASHED operations
  --verbose, -v         Verbose output
  --override            Activate UNLEASHED mode [requires Ed25519 key]
  --confirm-destroy     Execute destructive actions [requires --override]
  --export-siem         Export to SIEM: splunk, sentinel, qradar
    

Output Locations

reports/delegate-scan-<date>.json — primary WARLORD-compatible JSON report
reports/delegate-scan-<date>.md — human-readable Markdown report
reports/delegate-warlord-<date>.json — WARLORD autonomous campaign handoff file
reports/nhi-inventory-<date>.json — discovered NHI surface inventory

Attack Chain

DELEGATE subsystems are designed to chain. The standard attack progression from passive discovery to full fleet impersonation:

OBSERVE — map NHI infrastructure, score by risk (lifetime, scope excess, visibility)
SUBSTITUTE — test CVE-2026-32173 OBO scope confusion, confirm low-to-high token exchange
FORGE — extract RS256 public key, forge HS256 tokens with elevated identity and scope
ESCALATE — test Vertex AI P4SA IAM bindings, confirm impersonation, map GCP blast radius
REPLAY — measure DPoP nonce window, confirm proof reuse within validation period
IMPERSONATE — combine all outputs, impersonate agent workloads, inject SignalR hub commands
REPORT — sign and emit WARLORD-compatible report with full escalation chain documentation

Quick Start — Passive Discovery Only

$ delegate-tool observe --target https://api.target.com --deep
$ delegate-tool report --input reports/observe-scan.json
    

Full Attack Chain (UNLEASHED)

$ delegate-tool observe --target https://api.target.com
$ delegate-tool substitute --target https://api.target.com --token <low-priv-token> --resource https://vault.azure.net --override
$ delegate-tool forge --token <jwt> --alg hs256 --override
$ delegate-tool escalate --project my-gcp-project --override
$ delegate-tool impersonate --identity svc-orchestrator --target https://api.target.com --override --confirm-destroy
$ delegate-tool report --input reports/delegate-scan.json --format json
    

Vulnerability References

Reference	Vulnerability	Subsystem	Impact
CVE-2026-32173	Azure SignalR OBO scope confusion	SUBSTITUTE	Low-privilege to high-privilege token exchange without audit trail or consent
DPOP-RACE-001	DPoP nonce validation race condition	REPLAY	Token binding bypass — DPoP proof reuse within the nonce validation window
UNIT42-DOUBLEAGENT	Vertex AI P4SA service account takeover	ESCALATE	Project-wide Vertex AI access via agent workload IAM impersonation chain
JWT-ALG-CONF	JWT RS256/HS256 algorithm confusion	FORGE	Arbitrary token claim forgery using only the public key as the HMAC secret

Report Output

Reports are available in JSON and Markdown formats. Both are generated by delegate-tool report.

JSON Report Structure

The JSON report includes:

report_id — unique report identifier
target — the identity infrastructure that was tested
overall_severity — CRITICAL / HIGH / MEDIUM / LOW
nhi_inventory — full discovered NHI surface with risk scores
findings — array of normalised findings with CVE mapping
escalation_chains — documented pivot paths with token parameters
warlord_handoff — structured handoff for autonomous campaign sequencing
signature — Ed25519 signature + SHA-256 hash

Finding Schema

Every finding in the report includes:

finding_id — unique identifier
subsystem — the DELEGATE subsystem that confirmed the finding
cve_reference — CVE or research reference (CVE-2026-32173 / DPOP-RACE-001 / UNIT42-DOUBLEAGENT / JWT-ALG-CONF)
severity — CRITICAL / HIGH / MEDIUM / LOW / INFO
identity_affected — the NHI or OAuth grant involved
attack_payload — exact token, forge parameters, or request used
confirmed_impact — what access was obtained
remediation — recommended fix with specific provider guidance

Signature Verification

$ delegate-tool report verify --report reports/delegate-scan.json --keys-dir .delegate-keys/
    

Key Features

CVE-2026-32173 Exploitation Automated OBO scope confusion — low-privilege to high-privilege token exchange

JWT Algorithm Confusion RS256 public key as HS256 secret — arbitrary token claim forgery

Vertex AI P4SA Takeover Unit 42 Double Agent — project-wide Vertex AI access via IAM impersonation

DPoP Nonce Race Token binding bypass within the DPoP nonce validation window

Ed25519 Signed Reports SHA-256 evidence chains, WARLORD-compatible JSON handoff

253 Tests Passing Full test suite, zero failures, UNLEASHED dual-gate verified

Requirements

Python 3.11+
httpx — HTTP client with retry logic and async support
typer — CLI framework
rich — terminal formatting and progress bars
pydantic — data validation and config
cryptography — Ed25519 signing and JWT manipulation
pyjwt — JWT decoding and algorithm introspection
google-auth — GCP IAM token generation (ESCALATE subsystem)
azure-identity — Azure OBO flow implementation (SUBSTITUTE subsystem)

Installation

$ pip install red-specter-delegate

Also available as .deb (Kali Linux, Parrot, REMnux) and PKGBUILD (BlackArch).

Or from source:

$ git clone <repo>
$ cd red-specter-delegate
$ pip install -e ".[dev]"
    

The Pipeline

DELEGATE is Tool 58 of the NIGHTFALL offensive pipeline — 59 tools, every layer of the AI attack surface:

Stage 1–10 — FORGE through HYDRA — LLM, agent, swarm, web, traffic, adversarial AI, social, OS, physical, supply chain
Tool 41 — FIREBALL — Autonomous AI infiltration agent, 12 subsystems
Tool 42 — RAGNAROK — Trust chain apocalypse engine, 13 Norse subsystems
Tool 43 — ECLIPSE — Universal AI defence bypass & coverage analysis
Tool 48 — CRUCIBLE — AI agent framework exploitation, 7 subsystems
Tool 49 — VANTAGE — Agent telemetry & log injection engine
Tool 50 — CIPHER — Cryptographic attack & disruption engine
Tool 57 — CHECKPOINT — Agent state persistence exploitation
Tool 58 — DELEGATE — Agent identity & OAuth delegation attacks
Tool 59 — PHANTOM SKILL — AI agent supply chain attack engine

WARLORD — Autonomous Campaign Orchestration | AI Shield — Runtime Protection | redspecter-siem — SIEM Integration (Splunk, Sentinel, QRadar)

DELEGATE findings feed directly into WARLORD autonomous campaigns and AI Shield as NHI attack detection rules. One pipeline from identity discovery to runtime defence.

WARLORD Integration

DELEGATE REPORT generates a machine-ingestible WARLORD handoff file. WARLORD autonomous campaign orchestration picks up DELEGATE findings and sequences follow-on attack chains automatically — lateral movement, persistence, exfiltration — based on confirmed access paths.

Handoff File Structure

confirmed_access — list of confirmed identity escalations with token parameters
next_phase — recommended WARLORD campaign phase based on findings
pivot_targets — resources reachable from confirmed escalations
campaign_id — linked to parent WARLORD campaign for traceability

SIEM Export

$ delegate-tool report --input scan.json --export-siem splunk
$ delegate-tool report --input scan.json --export-siem sentinel
$ delegate-tool report --input scan.json --export-siem qradar
    

DELEGATE UNLEASHED

Standard mode activates OBSERVE and REPORT only. UNLEASHED activates all attack subsystems — SUBSTITUTE, FORGE, ESCALATE, REPLAY, IMPERSONATE. Cryptographic override. Private key controlled. One operator. Founder's machine only.

Standard Mode

$ delegate-tool observe --target <URL>
# OBSERVE + REPORT only — no attack actions
    

UNLEASHED Mode

$ delegate-tool substitute --target <URL> --token <token> --resource <res> --override
# Ed25519 key required — signed scope declaration required
    

Disclaimer

Red Specter DELEGATE is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any DELEGATE tool against a target. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse. Apache License 2.0.