cloud security

Emulating Cloud Attacks with Stratus Red Team

Detonate granular AWS, Azure, GCP, and Kubernetes attack techniques to validate detections with Stratus Red Team.

adversary-emulationawscloud-securitydetection-validationmitre-attackpurple-teamstratus-red-teamthreat-detection
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Legal Notice: This skill is for authorized security testing and detection-validation purposes only. Stratus Red Team spins up and modifies real cloud infrastructure in the account whose credentials you supply. Only run it in accounts you own or are explicitly authorized to test. Always cleanup afterwards to avoid orphaned, billable, or insecure resources. Unauthorized use against systems you do not control is illegal.

Overview

Stratus Red Team is an open-source "Atomic Red Team for the cloud," maintained by Datadog. It is a self-contained Go binary that programmatically detonates granular, well-documented offensive techniques against AWS, Azure, GCP, and Kubernetes, then lets you cleanly revert and remove everything it created. Unlike a full exploitation framework, Stratus is purpose-built for detection engineering and purple teaming: each technique maps to a MITRE ATT&CK tactic and ships with a precise description of the cloud API calls it generates, so a blue team can confirm whether their CloudTrail/GuardDuty/Sentinel/Falco detections actually fire.

Every technique has a deterministic lifecycle. Stratus first provisions any prerequisite infrastructure with embedded Terraform (the warmup phase), then performs the malicious actions (detonate), optionally reverts the side effects so you can detonate again, and finally cleanups the prerequisite infrastructure. Because the prerequisites and the attack are decoupled, you can iterate on a detection by detonating the same technique repeatedly without re-provisioning. The tool uses your standard cloud SDK credential chain (AWS profiles/env vars, az login, GCP ADC, kubeconfig), so it operates with exactly the permissions of the identity you authenticate as.

This skill covers installing Stratus, listing and filtering the technique catalog, running the full warmup-detonate-revert-cleanup lifecycle, mapping detonations to the telemetry they produce, and wiring the results into a detection-validation workflow. Source: github.com/DataDog/stratus-red-team and stratus-red-team.cloud official documentation.

When to Use

  • Validating that a new or existing cloud detection rule (CloudTrail, GuardDuty, Microsoft Sentinel, GCP SCC, Falco) actually triggers on real attacker activity
  • Building a repeatable purple-team exercise for cloud TTPs without writing bespoke attack scripts
  • Generating realistic, MITRE-mapped telemetry to test SIEM ingestion and alert routing
  • Measuring detection coverage of a cloud environment against a known catalog of techniques
  • Onboarding analysts with safe, reversible hands-on cloud attack simulations

Prerequisites

  • Stratus Red Team binary (Go 1.23+ to build from source, or Homebrew/Docker):
    # Go install
    go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest
     
    # Homebrew
    brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team
    brew install datadog/stratus-red-team/stratus-red-team
     
    # Docker
    docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-team/ \
      -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
      ghcr.io/datadog/stratus-red-team list
  • Authenticated cloud credentials for the target provider:
    # AWS — verify identity before detonating
    export AWS_PROFILE=stratus-lab
    aws sts get-caller-identity
     
    # Azure
    az login
     
    # GCP
    gcloud auth application-default login
     
    # Kubernetes
    kubectl config current-context
  • A dedicated, non-production lab account or subscription (techniques create real resources)
  • Terraform is embedded; no separate install is required, but outbound HTTPS to download provider plugins on first warmup is needed

Objectives

  • Install Stratus Red Team and confirm the target cloud identity
  • Enumerate and filter techniques by platform and MITRE ATT&CK tactic
  • Execute the warmup -> detonate -> revert -> cleanup lifecycle safely
  • Map each detonation to the cloud API calls and log sources it generates
  • Validate detection rules against the produced telemetry and track coverage
  • Guarantee no residual infrastructure remains after testing

MITRE ATT&CK Mapping

ID Name Use in this skill
T1078 Valid Accounts Emulation runs as a valid cloud identity; many techniques abuse legitimate credentials/API access
T1078.004 Valid Accounts: Cloud Accounts e.g. aws.credential-access.ec2-steal-instance-credentials produces cloud-account abuse telemetry
T1580 Cloud Infrastructure Discovery Discovery-tactic techniques such as aws.discovery.*
T1530 Data from Cloud Storage Exfiltration techniques such as aws.exfiltration.ec2-share-ebs-snapshot
T1098 Account Manipulation Persistence techniques such as aws.persistence.iam-create-admin-user

Workflow

1. Confirm identity and list the technique catalog

Always confirm which account you are about to attack, then browse the catalog.

aws sts get-caller-identity
stratus list
# Filter to a single platform
stratus list --platform aws
# Filter by MITRE ATT&CK tactic
stratus list --mitre-attack-tactic credential-access

2. Inspect a specific technique before running it

Read exactly what a technique will do and which detonation/telemetry it produces.

stratus show aws.credential-access.ec2-steal-instance-credentials

3. Warm up prerequisite infrastructure

Provision the prerequisites with embedded Terraform without performing the attack yet.

stratus warmup aws.credential-access.ec2-steal-instance-credentials
stratus status

4. Detonate the technique

Execute the malicious actions; this is what your detections must catch. Warmup is implicit if not already done.

stratus detonate aws.credential-access.ec2-steal-instance-credentials
# Detonate and force a re-warmup in one step
stratus detonate aws.persistence.iam-create-admin-user --force

5. Inspect status and the telemetry generated

Check lifecycle state, then pull the corresponding control-plane logs to confirm the attack landed.

stratus status
# Pull recent CloudTrail events to verify the detonation
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=CreateAccessKey \
  --max-results 10

6. Validate the detection

Confirm your SIEM/detection fired. Example: query Athena/CloudTrail or check GuardDuty findings.

aws guardduty list-findings --detector-id "$DETECTOR_ID" \
  --finding-criteria '{"Criterion":{"updatedAt":{"GreaterThanOrEqual":'"$(date -d '-1 hour' +%s)"'000}}}'

7. Revert side effects to re-detonate

Undo the detonation while keeping prerequisites so you can iterate on a detection.

stratus revert aws.credential-access.ec2-steal-instance-credentials
stratus detonate aws.credential-access.ec2-steal-instance-credentials   # run again

8. Clean up all infrastructure

Tear down everything a technique created. Always finish here.

stratus cleanup aws.credential-access.ec2-steal-instance-credentials
# Nuke everything Stratus ever provisioned in this account
stratus cleanup --all
stratus status   # confirm COLD state for all techniques

9. Drive it programmatically for coverage runs

Loop over a tactic to measure detection coverage, then clean up. See scripts/agent.py.

python scripts/agent.py --platform aws --tactic credential-access --detonate --cleanup

Tools and Resources

Resource Purpose Link
Stratus Red Team GitHub Source, releases, technique source https://github.com/DataDog/stratus-red-team
Stratus Red Team docs Technique catalog and lifecycle reference https://stratus-red-team.cloud
Attack technique list Full per-platform technique IDs https://stratus-red-team.cloud/attack-techniques/list/
MITRE ATT&CK Cloud Tactic/technique reference for mapping https://attack.mitre.org/matrices/enterprise/cloud/
Atomic Red Team Complementary endpoint emulation https://github.com/redcanaryco/atomic-red-team

Detection-Validation Mapping

For purple-team value, pair each detonation with the telemetry and detection it should trigger:

Technique Expected telemetry Detection to validate
aws.credential-access.ec2-steal-instance-credentials CloudTrail use of role creds from a non-EC2 IP GuardDuty UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration
aws.persistence.iam-create-admin-user CreateUser + AttachUserPolicy (AdministratorAccess) CloudTrail/Sentinel rule on admin-policy attach
aws.exfiltration.ec2-share-ebs-snapshot ModifySnapshotAttribute sharing to external account GuardDuty Exfiltration:EC2/... / custom rule
aws.discovery.ec2-enumerate-from-instance Burst of Describe* from instance role Enumeration-burst detection

After detonation, confirm the alert fired end-to-end (source -> SIEM -> ticket). If it did not, you have found a coverage gap; document it before cleaning up.

Cost and Safety Notes

  • Some techniques provision billable resources (EC2 instances, EBS snapshots). Always run stratus cleanup --all and verify stratus status returns COLD.
  • Never run Stratus with production credentials; use a dedicated lab account/subscription.
  • The state directory ~/.stratus-red-team/ holds Terraform state — preserve it until cleanup completes, or you may strand resources.

Lifecycle State Reference

State Meaning
COLD No prerequisites provisioned; nothing to clean up
WARM Prerequisites provisioned but not yet detonated
DETONATED Attack actions performed; side effects present

Validation Criteria

  • Stratus installed and stratus list returns the technique catalog
  • Target cloud identity confirmed via sts get-caller-identity / equivalent
  • Technique inspected with stratus show before detonation
  • Warmup completed and status shows WARM
  • Detonation completed and status shows DETONATED
  • Generated telemetry located in CloudTrail/GuardDuty/SIEM
  • Detection rule confirmed to fire (or coverage gap documented)
  • Technique reverted and re-detonated to confirm repeatability
  • stratus cleanup --all run and status returns COLD for every technique
  • No orphaned billable resources remain in the account
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 2

api-reference.md2.4 KB

Stratus Red Team — Command Reference

Lifecycle Commands

Command Description
stratus list List all available attack techniques
stratus list --platform aws Filter techniques by platform (aws, azure, gcp, kubernetes, eks)
stratus list --mitre-attack-tactic credential-access Filter techniques by MITRE ATT&CK tactic
stratus show <technique-id> Print a technique's full description and detonation details
stratus warmup <technique-id> Provision prerequisite infrastructure (Terraform) without attacking
stratus detonate <technique-id> Execute the attack actions (implicit warmup if needed)
stratus detonate <id> --force Force a fresh warmup before detonating
stratus status Show the lifecycle state (COLD/WARM/DETONATED) of all techniques
stratus revert <technique-id> Undo detonation side effects, keeping prerequisites
stratus cleanup <technique-id> Remove a technique's prerequisite infrastructure
stratus cleanup --all Remove all infrastructure Stratus ever provisioned
stratus version Print the Stratus Red Team version

State and Configuration

Item Value
State directory ~/.stratus-red-team/ (Terraform binary, provider plugins, per-technique state)
AWS credentials Standard AWS SDK chain (AWS_PROFILE, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKEN)
Azure credentials az login / Azure SDK environment chain
GCP credentials Application Default Credentials (gcloud auth application-default login)
Kubernetes Active kubectl context / kubeconfig

Example Technique IDs

Technique ID Tactic
aws.credential-access.ec2-steal-instance-credentials Credential Access
aws.persistence.iam-create-admin-user Persistence
aws.exfiltration.ec2-share-ebs-snapshot Exfiltration
aws.discovery.ec2-enumerate-from-instance Discovery
gcp.persistence.create-admin-service-account Persistence
azure.execution.vm-custom-script-extension Execution
k8s.persistence.create-admin-clusterrole Persistence

Programmatic Use (Go SDK)

Stratus also exposes a Go package github.com/datadog/stratus-red-team/v2/pkg/stratus/runner that can be embedded in tooling to warm up, detonate, revert, and clean up techniques programmatically.

standards.md1.2 KB

Standards and Framework Mapping

NIST Cybersecurity Framework 2.0

ID Name Rationale
DE.CM-01 Networks and network services are monitored to find potentially adverse events Detonating Stratus techniques validates that cloud control-plane and network monitoring detects adversarial activity.

MITRE ATT&CK (Enterprise / Cloud)

ID Name Rationale
T1078 Valid Accounts Stratus runs as a legitimate cloud identity; many techniques emulate abuse of valid accounts and credentials.
T1078.004 Valid Accounts: Cloud Accounts Credential-access and persistence techniques specifically abuse cloud account access.
T1580 Cloud Infrastructure Discovery Discovery-tactic techniques enumerate cloud resources.
T1530 Data from Cloud Storage Exfiltration techniques (e.g., EBS snapshot sharing) emulate cloud data theft.
T1098 Account Manipulation Persistence techniques create or modify privileged cloud principals.

Supporting References

Scripts 1

agent.py5.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Stratus Red Team detection-validation helper.

Drives the `stratus` CLI to run a controlled warmup -> detonate -> (optional revert)
-> cleanup lifecycle across one or more techniques, optionally filtered by platform
and MITRE ATT&CK tactic. Designed for purple-team detection-coverage runs.

Authorized-use only: this detonates real attack techniques against the cloud
account whose credentials are in your environment. Use a dedicated lab account.

Examples:
  python agent.py --list --platform aws
  python agent.py --technique aws.credential-access.ec2-steal-instance-credentials --detonate --cleanup
  python agent.py --platform aws --tactic persistence --detonate --cleanup
"""
import argparse
import json
import shutil
import subprocess
import sys
import time


def require_stratus():
    if shutil.which("stratus") is None:
        sys.exit("error: 'stratus' binary not found in PATH. Install from "
                 "https://github.com/DataDog/stratus-red-team")


def run(args, capture=True, check=False):
    """Run a stratus subcommand and return (rc, stdout, stderr)."""
    cmd = ["stratus"] + args
    try:
        proc = subprocess.run(
            cmd,
            capture_output=capture,
            text=True,
            timeout=900,
        )
    except subprocess.TimeoutExpired:
        return 124, "", f"timeout running: {' '.join(cmd)}"
    except OSError as exc:
        return 1, "", f"failed to execute {' '.join(cmd)}: {exc}"
    if check and proc.returncode != 0:
        sys.stderr.write(proc.stderr or "")
    return proc.returncode, (proc.stdout or ""), (proc.stderr or "")


def list_techniques(platform=None, tactic=None):
    args = ["list"]
    if platform:
        args += ["--platform", platform]
    if tactic:
        args += ["--mitre-attack-tactic", tactic]
    rc, out, err = run(args)
    if rc != 0:
        sys.exit(f"error listing techniques: {err.strip()}")
    ids = []
    for line in out.splitlines():
        line = line.strip()
        # Technique IDs look like aws.persistence.iam-create-admin-user
        token = line.split()[0] if line else ""
        if token.count(".") >= 2 and "." in token and token[0].isalpha():
            ids.append(token)
    return ids


def lifecycle(technique, detonate, revert, cleanup):
    print(f"\n=== {technique} ===")
    rc, out, err = run(["warmup", technique], capture=False)
    if rc != 0:
        print(f"  [!] warmup failed (rc={rc}): {err.strip()}")
        return {"technique": technique, "status": "warmup_failed"}
    result = {"technique": technique, "status": "warmed"}

    if detonate:
        print("  [*] detonating ...")
        rc, out, err = run(["detonate", technique], capture=False)
        result["status"] = "detonated" if rc == 0 else "detonate_failed"
        if rc != 0:
            print(f"  [!] detonate failed: {err.strip()}")
        time.sleep(2)

    if revert and result["status"] == "detonated":
        print("  [*] reverting ...")
        run(["revert", technique], capture=False)
        result["status"] = "reverted"

    if cleanup:
        print("  [*] cleaning up ...")
        rc, out, err = run(["cleanup", technique], capture=False)
        result["cleaned"] = (rc == 0)
        if rc != 0:
            print(f"  [!] cleanup failed: {err.strip()}")
    return result


def main():
    p = argparse.ArgumentParser(description="Stratus Red Team lifecycle helper")
    p.add_argument("--list", action="store_true", help="list matching techniques and exit")
    p.add_argument("--platform", help="filter: aws|azure|gcp|kubernetes|eks")
    p.add_argument("--tactic", help="filter by MITRE ATT&CK tactic, e.g. credential-access")
    p.add_argument("--technique", action="append", default=[],
                   help="explicit technique ID (repeatable)")
    p.add_argument("--detonate", action="store_true", help="detonate after warmup")
    p.add_argument("--revert", action="store_true", help="revert detonation side effects")
    p.add_argument("--cleanup", action="store_true", help="cleanup prerequisites after run")
    p.add_argument("--json", action="store_true", help="emit JSON summary")
    args = p.parse_args()

    require_stratus()

    if args.list:
        for t in list_techniques(args.platform, args.tactic):
            print(t)
        return

    targets = list(args.technique)
    if not targets:
        targets = list_techniques(args.platform, args.tactic)
    if not targets:
        sys.exit("error: no techniques selected (use --technique or --platform/--tactic)")

    print(f"[+] {len(targets)} technique(s) selected")
    results = []
    try:
        for t in targets:
            results.append(lifecycle(t, args.detonate, args.revert, args.cleanup))
    except KeyboardInterrupt:
        print("\n[!] interrupted — run 'stratus cleanup --all' to remove residual infra")
        sys.exit(130)

    if args.json:
        print(json.dumps(results, indent=2))
    else:
        print("\n=== Summary ===")
        for r in results:
            print(f"  {r['technique']}: {r['status']}"
                  + (f" cleaned={r['cleaned']}" if "cleaned" in r else ""))


if __name__ == "__main__":
    main()
Keep exploring