菜单
Detonate granular AWS, Azure, GCP, and Kubernetes attack techniques to validate detections with Stratus Red Team.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Extract DPAPI-protected secrets such as credentials and browser data offline and online.
Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
Test vector stores for embedding inversion, cross-tenant leakage, and poisoning.
Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.
Run OAuth 2.0 device-code and illicit-consent phishing against Microsoft Entra ID to steal access and refresh tokens, bypass MFA, and pivot across Microsoft 365 services.
Run Microsoft Entra ID tenant reconnaissance, token acquisition and manipulation, and federation backdoor testing with the AADInternals PowerShell toolkit to validate identity-attack resilience.
| name | emulating-cloud-attacks-with-stratus-red-team |
| description | Detonate granular AWS, Azure, GCP, and Kubernetes attack techniques to validate detections with Stratus Red Team. |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | ["stratus-red-team","adversary-emulation","cloud-security","detection-validation","purple-team","aws","mitre-attack","threat-detection"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["DE.CM-01"] |
| mitre_attack | ["T1078"] |
Legal Notice: This skill is for authorized security testing and detection-validation purposes only. Stratus Red Team spins up and modifies real cloud infrastructure in the account whose credentials you supply. Only run it in accounts you own or are explicitly authorized to test. Always
cleanupafterwards to avoid orphaned, billable, or insecure resources. Unauthorized use against systems you do not control is illegal.
Stratus Red Team is an open-source "Atomic Red Team for the cloud," maintained by Datadog. It is a self-contained Go binary that programmatically detonates granular, well-documented offensive techniques against AWS, Azure, GCP, and Kubernetes, then lets you cleanly revert and remove everything it created. Unlike a full exploitation framework, Stratus is purpose-built for detection engineering and purple teaming: each technique maps to a MITRE ATT&CK tactic and ships with a precise description of the cloud API calls it generates, so a blue team can confirm whether their CloudTrail/GuardDuty/Sentinel/Falco detections actually fire.
Every technique has a deterministic lifecycle. Stratus first provisions any prerequisite infrastructure with embedded Terraform (the warmup phase), then performs the malicious actions (detonate), optionally reverts the side effects so you can detonate again, and finally cleanups the prerequisite infrastructure. Because the prerequisites and the attack are decoupled, you can iterate on a detection by detonating the same technique repeatedly without re-provisioning. The tool uses your standard cloud SDK credential chain (AWS profiles/env vars, az login, GCP ADC, kubeconfig), so it operates with exactly the permissions of the identity you authenticate as.
This skill covers installing Stratus, listing and filtering the technique catalog, running the full warmup-detonate-revert-cleanup lifecycle, mapping detonations to the telemetry they produce, and wiring the results into a detection-validation workflow. Source: github.com/DataDog/stratus-red-team and stratus-red-team.cloud official documentation.
# Go install
go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest
# Homebrew
brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team
brew install datadog/stratus-red-team/stratus-red-team
# Docker
docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-team/ \
-e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN \
ghcr.io/datadog/stratus-red-team list
# AWS — verify identity before detonating
export AWS_PROFILE=stratus-lab
aws sts get-caller-identity
# Azure
az login
# GCP
gcloud auth application-default login
# Kubernetes
kubectl config current-context
| ID | Name | Use in this skill |
|---|---|---|
| T1078 | Valid Accounts | Emulation runs as a valid cloud identity; many techniques abuse legitimate credentials/API access |
| T1078.004 | Valid Accounts: Cloud Accounts | e.g. aws.credential-access.ec2-steal-instance-credentials produces cloud-account abuse telemetry |
| T1580 | Cloud Infrastructure Discovery | Discovery-tactic techniques such as aws.discovery.* |
| T1530 | Data from Cloud Storage | Exfiltration techniques such as aws.exfiltration.ec2-share-ebs-snapshot |
| T1098 | Account Manipulation | Persistence techniques such as aws.persistence.iam-create-admin-user |
Always confirm which account you are about to attack, then browse the catalog.
aws sts get-caller-identity
stratus list
# Filter to a single platform
stratus list --platform aws
# Filter by MITRE ATT&CK tactic
stratus list --mitre-attack-tactic credential-access
Read exactly what a technique will do and which detonation/telemetry it produces.
stratus show aws.credential-access.ec2-steal-instance-credentials
Provision the prerequisites with embedded Terraform without performing the attack yet.
stratus warmup aws.credential-access.ec2-steal-instance-credentials
stratus status
Execute the malicious actions; this is what your detections must catch. Warmup is implicit if not already done.
stratus detonate aws.credential-access.ec2-steal-instance-credentials
# Detonate and force a re-warmup in one step
stratus detonate aws.persistence.iam-create-admin-user --force
Check lifecycle state, then pull the corresponding control-plane logs to confirm the attack landed.
stratus status
# Pull recent CloudTrail events to verify the detonation
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=CreateAccessKey \
--max-results 10
Confirm your SIEM/detection fired. Example: query Athena/CloudTrail or check GuardDuty findings.
aws guardduty list-findings --detector-id "$DETECTOR_ID" \
--finding-criteria '{"Criterion":{"updatedAt":{"GreaterThanOrEqual":'"$(date -d '-1 hour' +%s)"'000}}}'
Undo the detonation while keeping prerequisites so you can iterate on a detection.
stratus revert aws.credential-access.ec2-steal-instance-credentials
stratus detonate aws.credential-access.ec2-steal-instance-credentials # run again
Tear down everything a technique created. Always finish here.
stratus cleanup aws.credential-access.ec2-steal-instance-credentials
# Nuke everything Stratus ever provisioned in this account
stratus cleanup --all
stratus status # confirm COLD state for all techniques
Loop over a tactic to measure detection coverage, then clean up. See scripts/agent.py.
python scripts/agent.py --platform aws --tactic credential-access --detonate --cleanup
| Resource | Purpose | Link |
|---|---|---|
| Stratus Red Team GitHub | Source, releases, technique source | https://github.com/DataDog/stratus-red-team |
| Stratus Red Team docs | Technique catalog and lifecycle reference | https://stratus-red-team.cloud |
| Attack technique list | Full per-platform technique IDs | https://stratus-red-team.cloud/attack-techniques/list/ |
| MITRE ATT&CK Cloud | Tactic/technique reference for mapping | https://attack.mitre.org/matrices/enterprise/cloud/ |
| Atomic Red Team | Complementary endpoint emulation | https://github.com/redcanaryco/atomic-red-team |
For purple-team value, pair each detonation with the telemetry and detection it should trigger:
| Technique | Expected telemetry | Detection to validate |
|---|---|---|
aws.credential-access.ec2-steal-instance-credentials | CloudTrail use of role creds from a non-EC2 IP | GuardDuty UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration |
aws.persistence.iam-create-admin-user | CreateUser + AttachUserPolicy (AdministratorAccess) | CloudTrail/Sentinel rule on admin-policy attach |
aws.exfiltration.ec2-share-ebs-snapshot | ModifySnapshotAttribute sharing to external account | GuardDuty Exfiltration:EC2/... / custom rule |
aws.discovery.ec2-enumerate-from-instance | Burst of Describe* from instance role | Enumeration-burst detection |
After detonation, confirm the alert fired end-to-end (source -> SIEM -> ticket). If it did not, you have found a coverage gap; document it before cleaning up.
stratus cleanup --all and verify stratus status returns COLD.~/.stratus-red-team/ holds Terraform state — preserve it until
cleanup completes, or you may strand resources.| State | Meaning |
|---|---|
| COLD | No prerequisites provisioned; nothing to clean up |
| WARM | Prerequisites provisioned but not yet detonated |
| DETONATED | Attack actions performed; side effects present |
stratus list returns the technique catalogsts get-caller-identity / equivalentstratus show before detonationstratus cleanup --all run and status returns COLD for every technique