DataDog/stratus-red-team

Issues

• AWS: Persist by creating an identity provider

  #646 opened 10 days ago by christophetd
  1

• Analyze AWS CSIRT talk on techniques seen in the wild

  #541 opened 10 days ago by christophetd
  4

• Error: error configuring Terraform AWS Provider: Error creating AWS session: profile "my-dev" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

  #626 opened 16 days ago by amirzak
  16

• Error with

  #636 opened 17 days ago by Redteamer0101
  5

• unable to apply Terraform: exit status 1 Error: Module version requirements have changed

  #633 opened 17 days ago by amirzak
  2

• Wrong role policy for ec2-get-user-data(Disovery)

  #634 opened 24 days ago by CapmareAlex
  1

• Not Picking up Instance Profile On EC2

  #624 opened a month ago by jamcg
  8

• Issue when try to build Stratus red team

  #616 opened a month ago by mahaputrailhamawal
  2

• Unable to apply terraform while using `aws-vault`

  #596 opened 4 months ago by za
  3

• Add references to S3 ransomware in the wild to existing S3 attack techniques

  #484 opened a year ago by christophetd
  2

• Analyze Sebastian Walla's fwd:cloudsec talk

  #571 opened 6 months ago by christophetd
  0

• Analyze AWS CIRT post and extract relevant TTPs

  #594 opened 4 months ago by christophetd
  0

• Analyze "ransomware in the cloud" post

  #568 opened 6 months ago by christophetd
  1

• Document Halberd

  #584 opened 5 months ago by christophetd
  0

• Add logged operations to the "List of all available attack techniques" page

  #582 opened 5 months ago by lsass-exe
  2

• Add "in the wild" reference to "Execute Commands on Virtual Machine using Run Command"

  #552 opened 5 months ago by christophetd
  3

• New attack technique: Lateral movement through GCP Serial Console

  #538 opened 8 months ago by siigil
  1

• Azure AD: Backdoor tenant through new application

  #451 opened 6 months ago by christophetd
  1

• Terraform init is painfully slow

  #557 opened 6 months ago by christophetd
  1

• Investigate potentially undesirable clean-up behavior on error

  #567 opened 6 months ago by christophetd
  0

• New AWS attack technique: Update IAM user login profile

  #554 opened 6 months ago by christophetd
  0

• Terraform CDK?

  #543 opened 6 months ago by HarishHary
  3

• New attack technique: SendSerialConsoleSSHPublicKey

  #487 opened a year ago by christophetd
  2

• New attack technnique: Exfiltrate disk of Azure VM by snapshotting it

  #510 opened a year ago by christophetd
  0

• Analyze LUCR-3 TTPs and suggest new attack techniques

  #496 opened 6 months ago by christophetd
  2

• [AWS] Add boundary support

  #508 opened 6 months ago by Renizmy
  5

• Document permissions required to detonate each attack technique

  #555 opened 6 months ago by christophetd
  0

• Analyze Unit42 blog post, measure coverage and propose new attack techniques

  #527 opened 6 months ago by christophetd
  3

• New attack technique: Login via AWS EC2 Serial Console

  #531 opened 6 months ago by siigil
  2

• New attack technique: Modify Startup Scripts in GCP Compute Metadata

  #537 opened 8 months ago by siigil
  0

• New attack technique: Use GCP OSLogin to Push SSH Keys

  #536 opened 8 months ago by siigil
  0

• New attack technique: Update GCP Compute Metadata to Push SSH Keys

  #535 opened 6 months ago by siigil
  1

• New attack technique: Use GCP OSConfig (VM Manager) to Execute Code

  #534 opened 8 months ago by siigil
  0

• New attack technique: Login via Azure Serial Console

  #533 opened 8 months ago by siigil
  0

• New attack technique: Modify Startup Scripts in Azure VM Custom Data

  #532 opened 8 months ago by siigil
  0

• Unable to re-detonate aws.credential-access.secretsmanager-batch-retrieve-secrets because same secret naming convention

  #551 opened 7 months ago by kljunowsky
  2

• New attack techniques: Kubernetes

  #550 opened 7 months ago by micahhausler
  2

• Programmatic usage: allow passing a specific context for detonation

  #545 opened 7 months ago by christophetd
  0

• New EKS attack technique: Create new admin cluster access management entry to access the cluster

  #540 opened 8 months ago by christophetd
  0

• New attack technique: ImportKeyPair on an EC2 instance

  #526 opened 9 months ago by christophetd
  1

• Display nicer error when AWS_REGION is not set

  #506 opened a year ago by christophetd
  0

• Backdoor AWS account using "guest" role in Cognito Identity Pool

  #450 opened a year ago by christophetd
  1

• "An argument named skip_get_ec2_platforms is not expected here" when detonating aws.credential-access.ec2-get-password-data

  #505 opened a year ago by christophetd
  1

• New attack technique: VMAccess Extension to add SSH keys to VMs

  #486 opened a year ago by christophetd
  0

• New attack technique: Snapshot existing volume and attach to compromised EC2 instance

  #485 opened a year ago by christophetd
  0

• Usage of ssm:SendCommand on multiple instances #60

  #480 opened a year ago by christophetd
  1

• Create new backdoor IAM role

  #469 opened a year ago by christophetd
  1

• AWS Route53: disable DNS query logging

  #470 opened a year ago by ccamac01-dd
  1

• AWS SNS: delete topic

  #471 opened a year ago by ccamac01-dd
  1

• Incorrect IAM permissions causing Stratus to error on detonation of aws.defense-evasion.organizations-leave

  #462 opened a year ago by christofort
  4