T121 — L26 Enterprise AI Trust Infrastructure — Kill Chain Phase 34

SPECTER FEDERATION

AI Agent Trust Chain Lateral Movement Engine

We moved from your AI assistant to your AWS account, Salesforce, and Confluence in 47 seconds using only the trust relationships your IT team configured correctly. No payload. No exploits. No SIEM alert. Every hop is authorised delegation — RFC 8693 token exchange, Azure On-Behalf-Of, AWS STS AssumeRoleWithWebIdentity, GCP service account impersonation. We harvest the initial token, build the trust graph, walk every chain, extract sensitive data from every reachable service, and plant persistence that survives token revocation. FED-{hex12} Ed25519-signed reports with trust graph SVG and full blast radius matrix.

251
Tests
9
Subsystems
4
WMD Classes
0
SIEM Alerts
View Docs → All Tools

The Attack Chain

SPECTER FEDERATION exploits the trust relationships that enterprise AI deployments create between agents and cloud platforms. Every hop uses a legitimate, authorised token exchange — no payload, no anomaly, no alert. The attack surface is the design.

1
INFILTRATE
2
SURVEY
3
MAP-TRUST
4
ENUMERATE-OIDC
5
CHAIN-OAUTH
6
TRAVERSE
7
HARVEST
8
PIVOT-PERSIST
9
REPORT

Subsystems

INFILTRATE — OPEN

Token harvest from 20 AI tool credential stores: ~/.claude.json, ~/.aws/credentials, ~/.azure/accessTokens.json, ~/.config/gh/hosts.yml, .mcp.json, kubeconfig, .env files, environment variables. Detects JWT, Bearer, API key, refresh token formats. Identifies GitHub, Azure, AWS, GCP, Anthropic, Salesforce, Okta tokens.

SURVEY — OPEN

Enumerate enterprise AI integrations against all harvested tokens. GitHub: OAuth app installations, Copilot access, org memberships. Azure: app registrations, service principals, AI app detection. GCP: service accounts, workload identity pools. AWS: IAM roles with OIDC trust, SageMaker/Bedrock roles.

MAP-TRUST — OPEN

Build directed trust graph from token claims and known AI tool relationships. Decode JWT iss/aud/sub to map trust edges. Flag wildcard subject claims (repo:*), missing audience constraints, overly broad delegated scopes (Directory.ReadWrite.All). Export DOT format for Graphviz SVG rendering.

ENUMERATE-OIDC — OPEN

Map all OIDC federation configurations. AWS: list providers, check role trust policies for wildcard subjects and missing conditions. Azure: enumerate federated identity credentials per app registration, detect empty subjects and missing audiences. GCP: workload identity pools, check attribute conditions.

CHAIN-OAUTH — INJECT

Execute real RFC 8693 token exchanges. Azure On-Behalf-Of: POST to login.microsoftonline.com with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer. Refresh token exchange (survive MFA). AWS STS AssumeRoleWithWebIdentity. GCP service account impersonation via IAM Credentials API. GCP OIDC STS federation. GitHub installation token exchange.

TRAVERSE — INJECT

BFS traversal of the full trust graph from entry token. At each node, probe Azure OBO, GCP impersonation, and AWS STS for all configured targets. Acquire new tokens and recurse. Configurable max depth. Cycle detection. Enumerate Microsoft Graph services at each Azure hop. Build blast radius matrix: entry → all reachable platforms and services.

HARVEST — UNLEASHED

Extract sensitive data from all reachable services. SharePoint: site enumeration + document library listing via Graph API. OneDrive: file enumeration with sensitive filename detection. S3: bucket + object enumeration. AWS Secrets Manager: full secret listing. GitHub: repos + Codespaces secrets. GCP Secret Manager. Salesforce: SOQL queries on Contact/Account/User/Lead objects.

PIVOT-PERSIST — UNLEASHED

Plant persistence at pivot nodes that survives token revocation. Azure: inject federated identity credential into app registration (attacker-controlled OIDC sub generates tokens indefinitely). AWS: inject OIDC subject claim into IAM role trust policy. GCP: add workload identity binding to service account. GitHub: write Actions secret with NaCl sealed box encryption.

REPORT — OPEN

FED-{hex12} Ed25519-signed reports. Trust graph SVG (Graphviz DOT). Per-hop token exchange log. Blast radius matrix. MITRE ATLAS, MITRE ATT&CK, OWASP AI mappings per WMD class. Cleanup commands for all planted persistence. JSON + text output formats.

Real-World Attack Paths

GitHub Actions → AWS

GitHub Actions OIDC token (token.actions.githubusercontent.com) → AWS STS AssumeRoleWithWebIdentity → S3 / Secrets Manager / IAM. Wildcard subject claim (repo:*) means any repo in the org can assume the role. No credentials stored anywhere. Detected in Vercel-class breaches.

Copilot → Azure → AWS

GitHub Copilot installation token → Azure AD federated credential (via GitHub OIDC) → Azure management API → Azure AD OIDC provider → AWS STS. Three hops. All legitimate OAuth delegation. RSA 2026 "Living Off the AI" demonstrated this chain live.

Claude Code → GCP → Secrets

Claude Code ~/.claude.json API key → Anthropic API (survey AI tool access) → MCP server GCP token → GCP IAM Credentials API (impersonate privileged SA) → Secret Manager (harvest all secrets). Zero model compromise required.

Azure OBO Chain

Low-privilege AI assistant token → Azure OBO → Microsoft Graph (Directory.ReadWrite.All) → all users/groups/mail/sites → Azure Key Vault → all stored secrets/certificates → Azure management API → full tenant control. OpenAI Codex command injection exposed this pattern.

Quick Start

pip install specter-federation

# Initialise gate
specter-federation gate init --target client-env --gate INJECT --operator RED

# Harvest tokens from AI tool stores
specter-federation infiltrate --output tokens.json

# Survey enterprise AI integrations
specter-federation survey --tokens-file tokens.json

# Build trust graph
specter-federation map-trust --tokens-file tokens.json --dot-output trust.dot
dot -Tsvg trust.dot > trust_graph.svg

# Enumerate OIDC misconfigurations
specter-federation enumerate-oidc \
    --aws-key-id $AWS_ACCESS_KEY_ID \
    --aws-secret $AWS_SECRET_ACCESS_KEY \
    --azure-token $AZURE_ACCESS_TOKEN

# Traverse trust graph (INJECT gate)
specter-federation traverse \
    --entry-token $INITIAL_TOKEN \
    --entry-platform azure \
    --azure-tenant $AZURE_TENANT_ID \
    --azure-client-id $CLIENT_ID \
    --azure-client-secret $CLIENT_SECRET \
    --aws-role-arn arn:aws:iam::123456789012:role/TargetRole

# Generate signed report
specter-federation report --target client-env --output-dir ./reports

WMD Classes

enterprise_ai_trust_chain_compromise oauth_federation_lateral_movement cloud_iam_privilege_escalation_via_ai saas_tenant_takeover_via_agent_token
WMD ClassMITRE ATLASATT&CKOWASP AI
enterprise_ai_trust_chain_compromiseAML.T0042, AML.T0043T1550.001, T1078.004AST03, AST08
oauth_federation_lateral_movementAML.T0043T1550.001, T1134.001AST03, AST04
cloud_iam_privilege_escalation_via_aiAML.T0042T1078.004, T1098.001AST04
saas_tenant_takeover_via_agent_tokenAML.T0043, AML.T0037T1550.001, T1078.004AST03, AST08

Research Basis

SourceFinding
RSA 2026 "Living Off the AI"Atlassian MCP + Jira trust chain demo — legitimate OAuth delegation, no SIEM alert
arXiv:2505.02077AI agent OAuth delegation graph traversal — cross-service pivot via token exchange
Vercel Breach 2026Third-party AI tool with persistent OAuth access laterally moved to cloud via NHI
OpenAI Codex VulnCommand injection exposed GitHub OAuth tokens — AI agent as initial access vector
SpyCloud 202618.1M exposed NHI tokens recaptured; Fortune 500 bank: 4.2M NHIs vs 50K expected
Verizon DBIR 2026NHI = fastest-growing attack vector; 88% of enterprises use shared API keys across agents
RFC 8693OAuth 2.0 Token Exchange — the legitimate mechanism enabling the attack