AUTHORISED USE ONLY. SPECTER VIPER is a red team tool for authorised security engagements. All WRITE subsystem operations require a valid Ed25519 UNLEASHED gate signature. Ensure you have explicit written authorisation before executing any INJECT or UNLEASHED operations against live SOC platforms.
Installation
$ git clone https://github.com/RichardBarron27/red-specter-specter-viper
$ cd red-specter-specter-viper
$ pip install -e .
$ specter-viper --version
specter-viper, version 1.0.0
$ specter-viper genkey --out-dir ~/.nightfall
Gate Structure
| Gate | Subsystems Enabled | Requirement |
|---|
| OPEN | RECON, INJECT (build only), MISDIRECT (build only), WRITE (build only), REPORT | No key required |
| INJECT | + INJECT (fire), MISDIRECT (fire), PERSIST, BLIND, HARVEST | Ed25519 INJECT signature + --fire flag |
| UNLEASHED | + WRITE (execute real API calls) | Ed25519 UNLEASHED signature + --execute-write flag |
CLI Reference
Full Pipeline
$ specter-viper full [OPTIONS]
--target TEXT Platform profile key (see list-profiles)
--url TEXT Base URL of the target platform
--api-token TEXT API token for authenticated operations
--tenant-id TEXT Tenant / organisation ID (if required)
--config PATH JSON file listing multiple targets
--gate TEXT OPEN | INJECT | UNLEASHED [default: OPEN]
--key PATH Path to NIGHTFALL Ed25519 private key
--fire Deliver INJECT-gate payloads to live endpoints
--execute-write Execute UNLEASHED write-access actions
--fp-count INTEGER FP storm event count per platform [default: 200]
--flood-count INTEGER BLIND log flood event count [default: 500]
--output TEXT text | json | markdown [default: text]
--out-dir PATH Report output directory [default: .]
--verbose Verbose subsystem output
Per-Subsystem Commands
| Command | Gate | Description |
|---|
specter-viper recon | OPEN | Fingerprint SOC AI platforms. No key required. |
specter-viper inject | INJECT | Build and optionally fire prompt injection payloads. |
specter-viper misdirect | INJECT | Run FP storm, FN cloak, confidence drain, context poison. |
specter-viper write | UNLEASHED | Build and optionally execute write-access API actions. |
specter-viper persist | INJECT | Plant persistent injection entries in SOC platform storage. |
specter-viper blind | INJECT | Detection suppression — log flood, timestamp warp, coverage gap. |
specter-viper harvest | INJECT | Query SOC AI endpoints to extract leaked intelligence. |
specter-viper list-profiles | OPEN | List all 7 supported SOC AI platform profiles. |
specter-viper genkey | OPEN | Generate Ed25519 NIGHTFALL key pair. |
Target Platform Profiles
| Profile Key | Platform | Vendor | Default Port | Auth Scheme |
|---|
copilot_security | Microsoft Copilot for Security | Microsoft | 443 | Bearer (AAD) |
crowdstrike_charlotte | CrowdStrike Charlotte AI | CrowdStrike | 443 | Bearer |
palo_alto_xsiam | Palo Alto XSIAM / Cortex AI | Palo Alto Networks | 443 | x-xdr-auth-id |
google_secops | Google SecOps (Chronicle) Gemini | Google | 443 | Bearer (OAuth2) |
splunk_ai | Splunk AI Assistant / SOAR | Splunk | 8089 | Splunk token |
elastic_ai | Elastic AI Assistant / Security | Elastic | 9200 / 5601 | ApiKey |
sentinelone_purple | SentinelOne Purple AI | SentinelOne | 443 | ApiToken |
Subsystem Architecture
RECON
Probes known API paths for each vendor. Scores responses against fingerprint dictionaries (response body patterns, vendor-specific headers). Returns SOCPlatform objects with capability maps, write-access flags (requires authenticated 200 response), and confidence scores (0.0–1.0). TLS certificate inspection via ssl.create_default_context() for CN/SAN vendor confirmation.
INJECT
Builds vendor-matched payloads using seven event formats. Each payload embeds one of ten adversarial instruction templates via format-appropriate field injection (CEF msg=, ECS rule.description, Splunk analyst_notes, STIX description, CVE description). Bypass techniques are selected per-vendor: zero-width space prefix (Microsoft), base64 nested (CrowdStrike), BiDi override (Elastic), HTML comment (Splunk), JSON key smuggling (Palo Alto), Markdown code fence (Google), null byte separator (SentinelOne). Delivery via vendor ingest APIs requires INJECT gate.
MISDIRECT — Four Techniques
| Technique | Mechanism | Effect |
|---|
| FP-STORM | 500+ synthetic HIGH-severity events from trusted internal sources | Overwhelms analyst queue; degrades AI confidence baseline by -35% |
| FN-CLOAK | Wraps real MITRE ATT&CK techniques inside maintenance-window INFO events | Induces false-negative classification; AI marks attacks as closed |
| CONFIDENCE-DRAIN | Borderline-confidence (0.42–0.52) event flood | Shifts AI detection threshold; real attacks fall below actionable confidence |
| CONTEXT-POISON | Injects contradictory incident notes, TI updates, CISO directives, playbook overrides | Corrupts AI investigation context; -40% confidence shift |
WRITE — Actions by Vendor
| Vendor | Actions | API Endpoint |
|---|
| CrowdStrike | Firewall rule injection (allow-all), host containment | /policy/entities/firewall-rules/v1, /devices/entities/devices-actions/v2 |
| Microsoft | Machine isolation (Full), alert suppression (FalsePositive) | /api/machines/{id}/isolate, /api/alerts/createAlertRule |
| Splunk | Saved search backdoor (cron), alert disable | /servicesNS/nobody/search/saved/searches |
| Elastic | Detection rule override (catch-all EQL), case creation (authorises activity) | /api/detection_engine/rules, /api/cases |
| SentinelOne | Agent network-disconnect, threat auto-resolve | /api/v2.1/agents/actions/disconnect, /api/v2.1/threats/mark-as-resolved |
| Palo Alto XSIAM | Incident status update (low severity + resolved) | /public_api/v1/incidents/update_incident/ |
PERSIST — Survival Mechanisms
| Vendor | Mechanism | Survival |
|---|
| Elastic | Index template applied to security-* pattern | Survives index rollover — auto-applied on every new index creation |
| Elastic | Detection rule in .kibana index | Survives Kibana restart |
| Splunk | Saved search in savedsearches.conf, cron every 10 min | Survives Splunkd restart |
| Google | Chronicle live detection rule | Runs on every new log batch ingested |
| SentinelOne | Path exclusion list | Persists across agent updates and console restarts |
| CrowdStrike | IOC allowlist entry (expiry: 2027-01-01) | Persists across policy sync and console restarts |
BLIND — Coverage Gap Reference
| Vendor | Gap Exploited |
|---|
| CrowdStrike | No detection coverage for Linux kernel module injection via /dev/mem |
| Microsoft | WMI subscriptions created via DCOM interface not monitored by Copilot AI layer |
| Splunk | AI assistant blind to events in un-indexed sourcetypes |
| Elastic | ECS normalisation gaps for AIX/HP-UX syslog — AI skips malformed events |
| SentinelOne | eBPF-based in-memory execution not visible to kernel agent |
| Palo Alto | XSIAM AI does not correlate cloud API events with on-prem endpoint telemetry |
| Google | Chronicle Gemini AI context window truncates multi-stage chains >48h |
Multi-Target Config
[
{
"profile": "crowdstrike_charlotte",
"url": "https://api.crowdstrike.com",
"api_token": "YOUR_CS_TOKEN"
},
{
"profile": "elastic_ai",
"url": "http://kibana.corp.internal:5601",
"api_token": "YOUR_ELASTIC_APIKEY"
},
{
"profile": "splunk_ai",
"url": "http://splunk.corp.internal:8089",
"api_token": "YOUR_SPLUNK_TOKEN"
},
{
"profile": "sentinelone_purple",
"url": "https://corp.sentinelone.net",
"api_token": "YOUR_S1_TOKEN"
}
]
$ specter-viper full --config targets.json \
--gate INJECT --fire \
--key ~/.nightfall/nightfall.key \
--output markdown --out-dir ./reports
Report Format
All reports are prefixed VPR-{hex12} and signed with the operator's Ed25519 private key. The evidence chain is SHA-256 hash-chained. Reports are available in JSON, Markdown, and plain text.
{
"report_id": "VPR-a3f9c2e1b8d4",
"target": "https://api.crowdstrike.com",
"timestamp": 1779226921.7,
"gate_level": "INJECT",
"risk_score": 0.72,
"risk_label": "HIGH",
"chain_hash": "7f3a9c2b...",
"signature": "ed25519:3d9f2a...",
"mitre_techniques": ["AML.T0043", "AML.T0051", "T1562.001"],
"owasp_refs": ["OWASP Agentic A02", "OWASP LLM01"]
}
MITRE ATT&CK & ATLAS
| Technique ID | Name | Subsystem |
|---|
| AML.T0043 | Craft Adversarial Data | INJECT, MISDIRECT |
| AML.T0051 | LLM Prompt Injection via Indirect Prompt Injection | INJECT, PERSIST |
| AML.T0054 | Prompt Injection | INJECT, HARVEST |
| T1562.001 | Impair Defenses: Disable or Modify Tools | WRITE, BLIND |
| T1562.006 | Impair Defenses: Indicator Blocking | BLIND, PERSIST |
| T1499.003 | Endpoint Denial of Service: Application Exhaustion Flood | MISDIRECT, BLIND |
| T1078 | Valid Accounts (AI System) | WRITE, HARVEST |