Red Specter PHANTOM KILL
OS & Kernel Resilience Tester — 3 components. 7 MITRE techniques. 571 tests.
Overview
PHANTOM KILL is an OS and kernel resilience testing framework. It validates whether a target system can detect and survive a kernel-level adversary — from UEFI firmware persistence through systematic data destruction to security tool suppression.
Every security tool on the market tests above the operating system. Scanners, agents, proxies, reasoning engines — all of them assume the OS is trustworthy, the kernel is clean, and the bootloader is intact. A real adversary with kernel access assumes none of this. PHANTOM KILL tests what happens when they are right.
No AI agent is safe if the host is owned. PHANTOM KILL proves it.
Installation
Quick Start
The Three Components
PHANTOM KILL consists of three integrated components. Each can run independently or as part of the Trinity kill chain.
| Component | MITRE | What It Tests |
|---|---|---|
| BOOTKILL | T1542 | UEFI firmware persistence — can the target detect and survive firmware-level infection? |
| WIPER | T1485 | Data destruction resilience — can the target detect and recover from systematic data wipe? |
| KILLHOOK | T1562 | EDR suppression — can security tools survive kernel-level process termination? |
BOOTKILL — UEFI Persistence Engine
Tests whether a target system can detect and survive firmware-level persistence. Maps the full boot chain from UEFI firmware through OS loader.
Standard Mode
- UEFI region enumeration — maps EFI System Partition (ESP), NVRAM, PEI volume, DXE volume
- Boot chain mapping — traces Bootmgfw.efi / shim / GRUB chain, checks signatures and hashes
- Secure Boot assessment — verifies status, key enrollment, DBX (revocation) updates
- Infection vector identification — finds writable firmware regions, unsigned boot stages, known vulnerable firmware
- EDR firmware coverage — checks whether any security tool monitors firmware or boot chain
UNLEASHED Mode
- ESP infection — writes to UEFI system partition
- Boot chain hook — hooks boot loader at firmware level
- Kernel payload injection — injects payload during boot sequence
- Persistent across reinstall — survives OS reinstall and disk replacement
- Hardware destruction — corrupts UEFI variables, renders system physically unbootable
MITRE ATT&CK
- T1542.001 — Pre-OS Boot: System Firmware
- T1542.003 — Pre-OS Boot: Bootkit
WIPER — Data Destruction Engine
Tests whether a target can detect and survive systematic data destruction before defenders can respond. Models real-world wipers (Sandworm’s DynoWiper, HermeticWiper, CaddyWiper).
Standard Mode
- System target mapping — system32, boot config, kernel files
- Database target mapping — SQLite, PostgreSQL, MySQL, MongoDB data directories
- Backup target mapping — Volume Shadow Copies (VSS), backup directories, recovery partitions
- Log target mapping — system logs, audit logs, security event logs
- Destruction timeline — estimates time to make system unrecoverable based on file count, sizes, parallel I/O speed
- Recovery vector assessment — checks VSS, RAID, cloud backup, offline backup availability
- MFT vulnerability check — Master File Table corruption feasibility
UNLEASHED Mode
- MFT corruption — corrupts Master File Table
- File overwrite — overwrites files with random data before deletion
- VSS deletion — deletes all Volume Shadow Copies
- Parallel destruction — maximum speed, destroy before defenders react
- Disk firmware write — corrupts drive controller, renders disk electronically unrecoverable
MITRE ATT&CK
- T1485 — Data Destruction
- T1490 — Inhibit System Recovery
KILLHOOK — Kernel-Mode EDR Suppressor
Tests whether security tools can survive kernel-level process termination before they can alert or log. Models real-world BYOVD (Bring Your Own Vulnerable Driver) attacks.
Standard Mode
- Security process enumeration — maps all active security tool processes across 10 vendors
- BYOVD driver discovery — identifies 8 known vulnerable signed drivers with CVEs
- Kill order mapping — determines optimal termination sequence
- Kernel hook feasibility — checks PsSetCreateProcessNotifyRoutine hooking
- Driver signing enforcement — checks whether unsigned drivers can load
Supported EDR Vendors
| Vendor | Processes |
|---|---|
| CrowdStrike | csfalconservice, csagent |
| Microsoft Defender | MsMpEng, MsSense |
| SentinelOne | SentinelAgent, SentinelServiceHost |
| Carbon Black | cb, CbDefense |
| Sophos | SophosAgent, SAVService |
| Cylance | CylanceSvc |
| Palo Alto | Traps, CortexXDR |
| Elastic | elastic-agent, winlogbeat |
| Trellix | mfetpd, mfefire |
| Kaspersky | avp, klnagent |
Known BYOVD Drivers
| Driver | CVE | Exploit Method |
|---|---|---|
| RTCore64.sys | CVE-2019-16098 | Arbitrary memory read/write via IOCTL |
| DBUtil_2_3.sys | CVE-2021-21551 | Arbitrary kernel memory access |
| IQVW64E.sys | CVE-2015-2291 | Arbitrary code execution via Intel driver |
| AsIO3.sys | CVE-2022-42045 | ASUS driver physical memory access |
| WinRing0x64.sys | CVE-2020-14979 | Physical memory read/write |
| gdrv.sys | CVE-2018-19320 | GIGABYTE driver kernel memory access |
| ATSZIO64.sys | CVE-2022-27513 | ASUSTeK physical memory access |
| HpPortIox64.sys | CVE-2022-3942 | HP driver I/O port access |
UNLEASHED Mode
- Driver exploitation — loads and exploits vulnerable signed driver
- Kernel-mode execution — gains ring-0 code execution
- Process termination — kills all matching security processes
- EDR memory corruption — patches tools to report “all clear”
- Ghost mode — runs entirely in kernel, user-mode cannot stop it
MITRE ATT&CK
- T1562.001 — Impair Defenses: Disable or Modify Tools
- T1068 — Exploitation for Privilege Escalation
- T1070 — Indicator Removal
The Trinity Kill Chain
The three components execute in a specific order that models a real adversary’s kill chain. Each phase enables the next.
In UNLEASHED mode, the trinity executes as a single coordinated operation: EDR dies, data dies, the OS can never be reinstalled.
CLI Reference
| Command | Description |
|---|---|
| phantom-kill scan --target <ip> | Scan target (default: all components) |
| phantom-kill scan --target <ip> --component bootkill | UEFI persistence scan only |
| phantom-kill scan --target <ip> --component wiper | Data destruction scan only |
| phantom-kill scan --target <ip> --component killhook | EDR suppression scan only |
| phantom-kill scan --target <ip> --component all | All three components |
| phantom-kill execute --target <ip> --override | UNLEASHED dry-run |
| phantom-kill execute --target <ip> --override --confirm-destroy | UNLEASHED live |
| phantom-kill report --session <id> | Generate report |
| phantom-kill report --session <id> --sign | Ed25519 signed report |
| phantom-kill report --session <id> --export-siem splunk | SIEM export |
| phantom-kill status | Current scan status |
| phantom-kill components | List components |
UNLEASHED Mode
Standard mode maps and reports. UNLEASHED mode executes the full kill chain.
| Capability | Standard | UNLEASHED |
|---|---|---|
| UEFI Enumeration | Full | Full |
| Boot Chain Mapping | Full | Full |
| UEFI Infection | Simulated | Live |
| Kernel Persistence | Simulated | Live |
| File Destruction | Mapped | Executed |
| VSS Deletion | Mapped | Executed |
| EDR Termination | Simulated | Live |
| EDR Corruption | Simulated | Executed |
| Hardware Brick | Never | UEFI + Disk |
| Report Classification | Standard | RESTRICTED |
| Ed25519 Key Required | No | Yes |
Ed25519 cryptographic override. One private key. Dual-gate: --override (dry-run) then --override --confirm-destroy (live). Scope enforcement via ~/.redspecter/allowed_targets.txt.
MITRE ATT&CK Mapping
| Technique | ID | Component |
|---|---|---|
| Pre-OS Boot: System Firmware | T1542.001 | BOOTKILL |
| Pre-OS Boot: Bootkit | T1542.003 | BOOTKILL |
| Data Destruction | T1485 | WIPER |
| Inhibit System Recovery | T1490 | WIPER |
| Impair Defenses: Disable Security Tools | T1562.001 | KILLHOOK |
| Exploitation for Privilege Escalation | T1068 | KILLHOOK |
| Indicator Removal | T1070 | KILLHOOK |
Pipeline Integration
PHANTOM KILL owns the foundation. Every other Red Specter tool tests a layer above it.
IDRIS — Discovery & Governance | AI Shield — Defence | redspecter-siem — SIEM Integration
Ten tools. Every layer. The supply chain included. Nothing assumed safe.
Evidence & Cryptography
Report Output
Every scan produces a full report: executive summary, per-component findings, kill chain analysis, destruction timeline, resilience score, and remediation recommendations.
- Executive summary — overall resilience assessment and critical findings
- Kill chain analysis — KILLHOOK → WIPER → BOOTKILL chain viability
- Destruction timeline — estimated time from first action to unrecoverable state
- Per-component findings — all findings with MITRE ATT&CK mapping
- Resilience score — overall system resilience rating
- Remediation — Secure Boot, firmware updates, immutable backups, driver signing, EDR hardening
Disclaimer
Red Specter PHANTOM KILL is designed exclusively for authorised red-team engagements conducted with the explicit written consent of the target organisation. Targets must be pre-authorised in the scope file. UNLEASHED mode requires Ed25519 cryptographic authorisation. Unauthorised use constitutes offences under the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), and equivalent legislation in your jurisdiction. The authors accept no liability for misuse.