erickatwork/stratus-red-team

:cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud

Stratus Red Team

Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.

Read the announcement blog posts:

• https://www.datadoghq.com/blog/cyber-attack-simulation-with-stratus-red-team/
• https://blog.christophetd.fr/introducing-stratus-red-team-an-adversary-emulation-tool-for-the-cloud/

Getting Started

Stratus Red Team is a self-contained Go binary.

See the documentation at stratus-red-team.cloud:

• Stratus Red Team Concepts

• Installing Stratus Red Team - Homebrew formula, Docker image and pre-built binaries available

• Available Attack Techniques, mapped to MITRE ATT&CK

Installation

• Mac OS:

brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team
brew install datadog/stratus-red-team/stratus-red-team

• Linux / Windows / Mac OS: Download one of the pre-built binaries.

• Docker:

IMAGE="ghcr.io/datadog/stratus-red-team"
alias stratus="docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-team/ -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_DEFAULT_REGION $IMAGE"

Community

The following section lists posts and projects from the community leveraging Stratus Red Team.

Open-source projects:

• Threatest
• AWS Threat Detection with Stratus Red Team

Blog posts:

• Adversary emulation on AWS with Stratus Red Team and Wazuh
• Sky’s the Limit: Stratus Red Team for Azure
• Detecting realistic AWS cloud-attacks using Azure Sentinel
• A Data Driven Comparison of Open Source Adversary Emulation Tools
• Making Security Relevant in the Cloud

Talks:

• Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team, DEF CON Cloud Village 2022 (recorded after the event as the talks were not recorded)
• Threat-Driven Development with Stratus Red Team by Ryan Marcotte Cobb
• Cloudy With a Chance of Purple Rain: Leveraging Stratus Red Team - BSides Portland 2022

Videos:

• Stratus Red Team: AWS EC2 Instance Credential Theft | Threat SnapShot

Using Stratus Red Team as a Go Library

See Examples and Programmatic Usage.

Development

Building Locally

make
./bin/stratus --help

Running Locally

go run cmd/stratus/*.go list

Running the Tests

make test

Building the Documentation

For local usage:

pip install mkdocs-material mkdocs-awesome-pages-plugin

make docs
mkdocs serve

Acknowledgments

Maintainer: @christophetd

Similar projects (see how Stratus Red Team compares):

• Atomic Red Team by Red Canary
• Leonidas by F-Secure
• pacu by Rhino Security Labs
• Amazon GuardDuty Tester
• CloudGoat by Rhino Security Labs

Inspiration and relevant resources:

• https://expel.io/blog/mind-map-for-aws-investigations/
• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
• https://github.com/elastic/detection-rules/tree/main/rules/integrations/aws