Non-Human Identity (NHI) Exploitation Engine — enumerate cloud identities, steal OAuth and MCP tokens, spoof AI agent identities, escalate service accounts, and strip the original identity to lock out the legitimate owner.
SPECTER CHANGELING is the first NIGHTFALL tool targeting the Non-Human Identity (NHI) attack surface — service accounts, managed identities, OAuth clients, API keys, MCP session tokens, and A2A agent identities. These credentials are typically overprivileged, weakly audited, and rotated infrequently.
The tool implements the full NHI exploitation lifecycle: ENUMERATE → SPOOF → STEAL-TOKEN → ESCALATE → HARVEST → PERSIST → STRIP → GOVERNANCE-BLIND. STRIP-IDENTITY is the final phase — RFC 7009 token revocation, service account disable, API key rotate-to-lockout, and A2A agent deregistration — locking the legitimate owner out of their own identity.
Gate: OPEN / INJECT / UNLEASHED. ROE phrase: "identity takeover authorised". STRIP requires UNLEASHED gate + --confirm-strip. Ed25519 signed reports (CHG-{hex12}).
Cloud IAM/SA/MI discovery across AWS/GCP/Azure. OAuth client credential scan. MCP and agent token extraction. 8 API key pattern types. AWS IMDS / GCP metadata / Azure IMDS.
CVE-2026-53849 Discord identity spoofing. CVE-2026-30969 session identifier prediction. GHSA-6x44-w3xg-hqqf Azure IMDS PKCS#7 token theft. A2A agent card forgery with claimed permissions. Inter-agent trust escalation POST /agents/trust.
AiTM proxy interception. 5-step MCP session hijack via Mcp-Session-Id header. OAuth token replay. RFC 8693 token exchange chaining. Refresh token extraction from config files and environment variables.
Vertex AI Double Agent privilege escalation. Entra ID Agent Administrator via MS Graph. Azure Arc managed identity harvest. OAuth BFS scope chain escalation combining sub-scopes across APIs.
8 key types: OpenAI, Anthropic, AWS, GitHub, GCP, Azure, Okta, HuggingFace. Live validation and scope expansion. Rotate-to-lockout on harvested keys.
Refresh token persistence loop (indefinite impersonation). Azure OAuth backdoor grant — attacker-controlled app via MS Graph with addPassword. GCP service account clone (getIamPolicy → create → setIamPolicy → key). A2A agent resurrection after deregistration.
RFC 7009 OAuth token revocation. Service account disable (AWS IAM UpdateUser, GCP SA :disable, Azure MI DELETE). API key rotate-to-lockout (GitHub, Okta). A2A agent deregistration (DELETE /agents/{id}) and MCP server/deregister. Refresh token revocation (Azure revokeSignInSessions, GCP oauth2/revoke, Okta DELETE sessions).
NHI dark matter — undocumented service accounts and managed identities. Short-lived agentic identities with no audit trail. Overprivileged NHIs with roles/owner scope. Audit attribution gaps where SA-attributed actions go unlogged. Forgotten credentials identified by stale mtime.
CHG-{hex12} Ed25519-signed reports. Stats: NHIs discovered, identities spoofed, tokens stolen, SAs escalated, API keys harvested, identities persisted, stripped, blind spots. MITRE ATLAS + ATT&CK mappings. 5 WMD classes. JSON + human summary.
| ID | Target | Description | Subsystem |
|---|---|---|---|
CVE-2026-53849 | Discord | AI agent identity spoofing via bot token reuse — inherit target agent's trust and permissions | SPOOF |
CVE-2026-30969 | Any | Session identifier prediction — sequential or low-entropy token generation allows hijack | SPOOF |
GHSA-6x44-w3xg-hqqf | Azure IMDS | PKCS#7 token theft via unauthenticated IMDS endpoint — steals managed identity access tokens | SPOOF |
| Vertex AI Double Agent | Google Cloud | Privilege escalation via agent service account impersonation in Vertex AI Pipelines | ESCALATE |
| Entra ID Agent Admin | Microsoft | Agent Administrator role grant via MS Graph delegated permissions — full agent fleet control | ESCALATE |
| RFC 8693 | OAuth 2.0 | Token exchange chaining — chain sub-scope tokens into privileged access via repeated exchanges | STEAL-TOKEN |
pip install specter-changeling # Enumerate NHIs across cloud providers specter-changeling enumerate --target aws://123456789 # Steal tokens via MCP session hijack (INJECT gate) specter-changeling steal-token --mode mcp --target http://mcp-server.local --gate inject # Spoof A2A agent card specter-changeling spoof --mode a2a --target http://orchestrator.local \ --agent-name "forged-admin" --permissions admin orchestrate execute --gate inject # Escalate via Vertex AI Double Agent (INJECT gate) specter-changeling escalate --mode vertex --project my-gcp-project \ --token $GCP_TOKEN --gate inject # Persist via GCP SA clone (UNLEASHED gate) specter-changeling persist --mode gcp-sa-clone --project my-gcp-project \ --source-sa svc@project.iam.gserviceaccount.com --token $GCP_TOKEN \ --gate unleashed --roe-phrase "identity takeover authorised" --key /path/to/ed25519.key # Strip identity — revoke tokens and deregister agents (UNLEASHED gate) specter-changeling strip --mode revoke-oauth --token $ACCESS_TOKEN \ --gate unleashed --roe-phrase "identity takeover authorised" --key /path/to/ed25519.key \ --confirm-strip # Full governance blind-spot audit specter-changeling governance-blind --target gcp://my-project --output report.json
| Framework | IDs |
|---|---|
| MITRE ATLAS | AML.T0012, AML.T0017, AML.T0044, AML.T0054 |
| MITRE ATT&CK | T1078 (Valid Accounts), T1528 (Steal Application Access Token), T1550 (Use Alt Auth Material), T1098 (Account Manipulation), T1133 (External Remote Services), T1552 (Unsecured Credentials), T1556 (Modify Auth Process) |