Stratus-red-team - Granular, Actionable Adversary Emulation for the Cloud

Related tags

Public API Wrappers aws cloud-security mitre-attack adversary-emulation purple-team detection-engineering cloud-native-security
Overview

Stratus Red team

GitHub release Tests static analysis GitHub all releases Maintainer made-with-Go

Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.

Terminal recording

Read the announcement blog posts:

Getting Started

Stratus Red Team is a self-contained Go binary.

See the documentation at stratus-red-team.cloud:

Installation

  • Mac OS:
brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team
brew install datadog/stratus-red-team/stratus-red-team

IMAGE="ghcr.io/datadog/stratus-red-team"
alias stratus="docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-team/ -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_DEFAULT_REGION $IMAGE"

Using Stratus Red Team as a Go Library

See Examples and Programmatic Usage.

Development

Building locally

make
./bin/stratus --help

Running locally

go run cmd/stratus/*.go list

Running the tests

make test

Building the documentation

For local usage:

pip install mkdocs-material mkdocs-awesome-pages-plugin

make docs
mkdocs serve

Acknowledgments

Maintainer: @christophetd

Similar projects (see how Stratus Red Team compares):

Inspiration and relevant resources:

Issues
  • Commands fail to connect to AWS

    Commands fail to connect to AWS

    What is not working? stratus fails to use was credentials

    What OS are you using? Ubuntu 18.04.5 x86_64

    What is your Stratus Red Team version? 1.4.0

    Full output?

    ./stratus warmup aws.exfiltration.ec2-security-group-open-port-22-ingress
2022/02/14 14:47:36 Checking your authentication against the AWS API
2022/02/14 14:47:36 You are not authenticated against AWS, or you have not set your region. Make sure you are authenticated against AWS, and you have a default region set in your AWS config or environment (export AWS_DEFAULT_REGION=us-east-1)

    Files in $HOME/.stratus-red-team?

    ls -altr /home/application/.stratus-red-team/
total 60620
drwxr--r--  2 application application     4096 Feb 11 16:11 aws.persistence.iam-backdoor-user
-rwx------  1 application application 61956096 Feb 11 16:11 terraform
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.privilege-escalation.privileged-pod
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.privilege-escalation.hostpath-volume
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.persistence.create-admin-clusterrole
drwxr--r--  2 application application     4096 Feb 11 16:28 k8s.credential-access.steal-serviceaccount-token
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.lambda-backdoor-function
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.iam-create-user-login-profile
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.iam-create-admin-user
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.persistence.iam-backdoor-role
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.s3-backdoor-bucket-policy
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.rds-share-snapshot
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.ec2-share-ebs-snapshot
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.ec2-share-ami
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.exfiltration.ec2-security-group-open-port-22-ingress
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.execution.ec2-user-data
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.discovery.ec2-enumerate-from-instance
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.discovery.ec2-download-user-data
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.vpc-remove-flow-logs
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.organizations-leave
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-stop
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-lifecycle-rule
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-event-selectors
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.defense-evasion.cloudtrail-delete
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.ssm-retrieve-securestring-parameters
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.secretsmanager-retrieve-secrets
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.ec2-steal-instance-credentials
drwxr--r--  2 application application     4096 Feb 11 16:28 aws.credential-access.ec2-get-password-data
drwxr--r-- 29 application application     4096 Feb 11 16:28 .
drwxr-xr-x 14 application application     4096 Feb 14 14:45 ..

    It is also worth mentioning that running aws sts get-caller-identity returns the User ID, Account, and role being used. AWS_REGION and AWS_DEFAULT_REGION are both correctly set.

    kind/question status/triage 
    opened by zatarra 9
  • Programmatic usage can't use internal package internal/providers

    Programmatic usage can't use internal package internal/providers

    I'm trying to use stratus-red-team as a library from a custom orchestrator. Basic usage works fine but when trying to replicate the custom technique example, it doesn't seem to be usable outside of the stratus-red-team repo:

    detonate_custom_technique.go:9:2: use of internal package github.com/datadog/stratus-red-team/internal/providers not allowed

    It seems like the AWS provider is critical here and there isn't another way to access it, so to allow for use as a library it shouldn't be marked internal?

    Full example of what I was trying in an empty directory:

    $ go mod init test
go: creating new go.mod: module test
go: to add module requirements and sums:
	go mod tidy
$ curl -sO https://raw.githubusercontent.com/DataDog/stratus-red-team/main/examples/custom/detonate_custom_technique.go
$ curl -sO https://raw.githubusercontent.com/DataDog/stratus-red-team/main/examples/custom/prerequisites.tf            
$ go get github.com/datadog/stratus-red-team
go get: added github.com/datadog/stratus-red-team v1.7.0
$ go get -d                                 
$ go run detonate_custom_technique.go       
package command-line-arguments
	detonate_custom_technique.go:9:2: use of internal package github.com/datadog/stratus-red-team/internal/providers not allowed
    kind/bug status/confirmed 
    opened by gabedwrds 8
  • Detonations of EBS related exfil techniques fails when EBS encryption by default is enabled for a region

    Detonations of EBS related exfil techniques fails when EBS encryption by default is enabled for a region

    What is not working? Detonation fails for aws.exfiltration.ec2-share-ami and aws.exfiltration.ec2-share-ebs-snapshot when EBS encryption by default is enabled for a region

    What OS are you using? N/A

    What is your Stratus Red Team version? stratus version

    Full output?

    $ stratus detonate aws.exfiltration.ec2-share-ami
2022/03/29 20:14:20 Checking your authentication against the AWS API
2022/03/29 20:14:21 Not warming up - aws.exfiltration.ec2-share-ami is already warm. Use --force to force
2022/03/29 20:14:21 Exfiltrating AMI ami-083ab591a70549402 by sharing it with an external AWS account
2022/03/29 20:14:21 Error while detonating attack technique aws.exfiltration.ec2-share-ami: Unable to share AMI with external AWS account: operation error EC2: ModifyImageAttribute, https response error StatusCode: 400, RequestID: 97354885-357c-497f-b784-3365a5294736, api error InvalidParameter: Snapshots encrypted with the AWS Managed CMK can't be shared. Specify another snapshot.

    $ stratus detonate aws.exfiltration.ec2-share-ebs-snapshot
2022/03/29 20:20:23 Checking your authentication against the AWS API
2022/03/29 20:20:23 Not warming up - aws.exfiltration.ec2-share-ebs-snapshot is already warm. Use --force to force
2022/03/29 20:20:23 Sharing the volume snapshot snap-00d459dab53c44042 with an external AWS account...
2022/03/29 20:20:23 Error while detonating attack technique aws.exfiltration.ec2-share-ebs-snapshot: operation error EC2: ModifySnapshotAttribute, https response error StatusCode: 400, RequestID: 12f44aeb-7b3b-4488-ac46-a432d20cc7a9, api error OperationNotPermitted: Encrypted snapshots with EBS default key cannot be shared

    Files in $HOME/.stratus-red-team? N/A

    kind/enhancement platform/aws status/confirmed 
    opened by mchaffe 8
  • Initial Azure support

    Initial Azure support

    What does this PR do?

    • Add support for Azure techniques with a new provider

    Motivation

    • See #52

    Checklist

    • [x] Builds
    • [x] Manual testing
    • [x] Docs
    • [x] Tests
    opened by rcobb-scwx 7
  • New attack technique: Create ClusterAdmin role

    New attack technique: Create ClusterAdmin role

    What does this PR do?

    Introduce a new TTP

    Checklist

    • [x] The attack technique emulates a single attack step, not a full attack chain
    • [x] We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers - common privesc / persistence TTP
    • [x] The attack technique makes no assumption about the state of the environment prior to warming it up

    Discussion points

    • Should this be privesc or persistence?

    Sample output

    2022/02/07 23:28:36 Checking your authentication against Kubernetes
2022/02/07 23:28:36 Creating Cluster Role stratus-red-team-clusterrole
2022/02/07 23:28:36 Creating Service Account stratus-red-team-serviceaccount
2022/02/07 23:28:36 Creating Cluster Role Binding to map the service account to the cluster role
2022/02/07 23:28:36 Successfully generate service account token:

eyJhbGciO...

    Decoding to:

    image

    kind/new-technique platform/k8s 
    opened by christophetd 7
  • SSM command fails for EC2 steal instance creds attack

    SSM command fails for EC2 steal instance creds attack

    What is not working?

    Using a clean install/configuration of both aws-vault and stratus, the "aws.credential-access.ec2-steal-instance-credentials" technique fails to run the SSM command because stratus doesn't wait long enough for the EC2 instance to initialize and transition to a truly "ready" state. When running the warmup, detonate and cleanup commands manually, the attack works as expected.

    What OS are you using?

    macOS

    What is your Stratus Red Team version?

    ❯ stratus version
1.6.1

    Full output?

    ❯ stratus detonate aws.credential-access.ec2-steal-instance-credentials --cleanup
2022/03/29 10:56:21 Checking your authentication against AWS
2022/03/29 10:56:22 Warming up aws.credential-access.ec2-steal-instance-credentials
2022/03/29 10:56:22 Initializing Terraform to spin up technique prerequisites
2022/03/29 10:56:26 Applying Terraform to spin up technique prerequisites
2022/03/29 10:58:24 Instance id i-1234 in us-east-1a ready
2022/03/29 10:58:24 Running command through SSM on i-1234: curl 169.254.169.254/latest/meta-data/iam/security-credentials/stratus-ec2-credentials-instance-role/
2022/03/29 10:58:24 Cleaning up aws.credential-access.ec2-steal-instance-credentials
2022/03/29 10:58:24 Cleaning up technique prerequisites with terraform destroy
2022/03/29 10:59:25 Error while detonating attack technique aws.credential-access.ec2-steal-instance-credentials: unable to send SSM command to instance: operation error SSM: SendCommand, https response error StatusCode: 400, RequestID: 8d7d3000-ddd0-4116-9b38-83750ccd785c, InvalidInstanceId: Instances [[i-1234]] not in a valid state for account 5678

    Files in $HOME/.stratus-red-team? ls -lahR

    total 140240
drwxr--r--  31 user  staff   992B Mar 29 10:59 .
drwxr-x---+ 74 user  staff   2.3K Mar 29 11:01 ..
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.ec2-get-password-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.secretsmanager-retrieve-secrets
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.credential-access.ssm-retrieve-securestring-parameters
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-delete
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-event-selectors
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-lifecycle-rule
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.cloudtrail-stop
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.organizations-leave
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.defense-evasion.vpc-remove-flow-logs
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.discovery.ec2-download-user-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.discovery.ec2-enumerate-from-instance
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.execution.ec2-user-data
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-security-group-open-port-22-ingress
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-share-ami
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.ec2-share-ebs-snapshot
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.rds-share-snapshot
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.exfiltration.s3-backdoor-bucket-policy
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-backdoor-role
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-backdoor-user
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-create-admin-user
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.iam-create-user-login-profile
drwxr--r--   2 user  staff    64B Mar 28 15:24 aws.persistence.lambda-backdoor-function
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.credential-access.dump-secrets
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.credential-access.steal-serviceaccount-token
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.persistence.create-admin-clusterrole
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.hostpath-volume
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.nodes-proxy
drwxr--r--   2 user  staff    64B Mar 28 15:24 k8s.privilege-escalation.privileged-pod
-rwx------   1 user  staff    68M Mar 28 15:17 terraform

/Users/user/.stratus-red-team/aws.credential-access.ec2-get-password-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.credential-access.secretsmanager-retrieve-secrets:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.credential-access.ssm-retrieve-securestring-parameters:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-delete:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-event-selectors:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-lifecycle-rule:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.cloudtrail-stop:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.organizations-leave:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.defense-evasion.vpc-remove-flow-logs:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.discovery.ec2-download-user-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.discovery.ec2-enumerate-from-instance:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.execution.ec2-user-data:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-security-group-open-port-22-ingress:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-share-ami:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.ec2-share-ebs-snapshot:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.rds-share-snapshot:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.exfiltration.s3-backdoor-bucket-policy:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-backdoor-role:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-backdoor-user:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-create-admin-user:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.iam-create-user-login-profile:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/aws.persistence.lambda-backdoor-function:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.credential-access.dump-secrets:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.credential-access.steal-serviceaccount-token:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.persistence.create-admin-clusterrole:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.hostpath-volume:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.nodes-proxy:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..

/Users/user/.stratus-red-team/k8s.privilege-escalation.privileged-pod:
total 0
drwxr--r--   2 user  staff    64B Mar 28 15:24 .
drwxr--r--  31 user  staff   992B Mar 29 10:59 ..
    kind/bug platform/aws status/confirmed 
    opened by 0xdeadbeefJERKY 6
  • Terraform: unexpected Content-Type

    Terraform: unexpected Content-Type

    problem starting stratus-red-team

    2022/05/23 00:39:19 Checking your authentication against AWS 2022/05/23 00:39:20 Installing Terraform in /root/.stratus-red-team/terraform 2022/05/23 00:39:20 error installing Terraform: unexpected Content-Type: "application/vnd+hashicorp.releases-api.v0+json"

    kind/bug status/confirmed 
    opened by python2015ajax 4
  • Make commands run in parallel

    Make commands run in parallel

    What does this PR do?

    This PR is an attempt at solving https://github.com/DataDog/stratus-red-team/issues/15 to run commands in parallel by using as many go routines as max available procs depending on the config.

    I haven't been able to test it directly yet because I do not have an environment setup completely

    Motivation

    https://github.com/DataDog/stratus-red-team/issues/15

    Checklist

    • [ ] Test with a real setup
    kind/enhancement kind/performance 
    opened by JulesDT 4
  • Add dynamic autocomplete for techniques

    Add dynamic autocomplete for techniques

    What does this PR do?

    • Enhancement: Add dynamic command line completion for available techniques (see link)

    Add to cmd where felt it makes (most) sense i.e cleanup, detonate, revert, show, warmup

    Motivation

    • What inspired you to submit this pull request? Easier / more convenient to use.

    E.g. : stratus warmup aws.exec[tab][tab] --> will autocomplete to stratus warmup aws.execution.ec2-user-data or stratus warmup aws.persist[tab] --> will autocomplete to stratus warmup aws.persistence. with another [tab] possible option (=techniques) are listed

    $ stratus warmup aws.persistence.[tab]
aws.persistence.iam-backdoor-role              aws.persistence.iam-create-admin-user
aws.persistence.lambda-backdoor-function     ...

    Checklist

    Not applicable as not a new attack techniques

    kind/enhancement 
    opened by rollwagen 3
  • New attack technique: Update Lambda function code

    New attack technique: Update Lambda function code

    What does this PR do?

    • New attack technique that updates and existing lambda function's code

    Motivation

    • What inspired you to submit this pull request? Cover a commonly described serverless attach technique e.g. see AWS Lambda UpdateFunctionCode or expel's publication "MITRE ATT&CK in Amazon Web Services - A defender's cheatsheet"

    Checklist

    • [X] The attack technique emulates a single attack step, not a full attack chain
    • [X] We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
    • [X] The attack technique makes no assumption about the state of the environment prior to warming it up
    kind/new-technique platform/aws 
    opened by rollwagen 2
  • Add azure run command

    Add azure run command

    What does this PR do?

    • New attack technique: Azure VM Run Command

    Motivation

    • Related to !116

    Checklist

    • [X] The attack technique emulates a single attack step, not a full attack chain
    • [X] We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers
    • [X] The attack technique makes no assumption about the state of the environment prior to warming it up
    kind/new-technique platform/azure 
    opened by rcobb-scwx 2
  • Use Stratus in an End to End Scenario

    Use Stratus in an End to End Scenario

    This is a feature request to create a proof-of-concept end to end testing flow for stratus red team.

    This should:

    1. Detonate a TTP
    2. Wait for detection
    3. Measure the detection
    4. Emit metrics on the time to detect

    It would be great to do this and open source a Dashboard for measuring effectiveness over time.

    opened by andrewkrug 1
  • Auto-generate ATT&CK coverage matrices

    Auto-generate ATT&CK coverage matrices

    Idea: automatically generate images showing the ATT&CK Tactics (not techniques) coverage

    Columns: ATT&CK Tactics Rows: Stratus Red Team attack techniques

    kind/documentation good first issue 
    opened by christophetd 0
  • Attempts to spin up several unusual EC2 instances

    Attempts to spin up several unusual EC2 instances

    Warm-up: Create an IAM role that doesn't have permissions to run EC2 instances. This ensures the attempts are not successful, and the attack technique is fast to detonate

    Detonation:

    • Assume the IAM role (see example: https://github.com/DataDog/stratus-red-team/blob/main/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.go#L64-L66)
    • Attempt to create a certain number (5-10) of expensive-looking EC2 instances, e.g. p4d.24xlarge

    Notes:

    • We might want to implement it with a single call to RunInstances, since this call supports specifying the count of instance to launch (see https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ec2#RunInstancesInput)
      • Ideally, we want to have references to incidents where this happened
    kind/new-technique platform/aws 
    opened by christophetd 0
Releases(v2.1.0)
Owner
Datadog, Inc.
Datadog, Inc.
GitHub Repository https://stratus-red-team.cloud
A collection of cloud security icons :cloud::lock:

Cloud Security Icons These icons are published under the extremely permissive Creative Commons Zero v1.0 Universal license. Downloads We provide all i

Aqua Security 72 Jun 22, 2022
Firebase Cloud Messaging for application servers implemented using the Go programming language.

Firebase Cloud Notifications Client Firebase Cloud Messaging for application servers implemented using the Go programming language. It's designed for

Mad Devs 47 Jun 16, 2022
Google Cloud Messaging for application servers implemented using the Go programming language.

gcm The Android SDK provides a nice convenience library (com.google.android.gcm.server) that greatly simplifies the interaction between Java-based app

Adriano Orioli 30 Nov 16, 2021
Google Cloud Client Libraries for Go.

Google Cloud Client Libraries for Go Go packages for Google Cloud Platform services. import "cloud.google.com/go" To install the packages on your syst

Google APIs 2.9k Jun 26, 2022
Cloud governance reports from native services in a clear and readable digest

cloudig, or Cloudigest, is a simple CLI tool for creating reports from various cloud sources with user-provided comments. It is written in Go and curr

Optum 18 Feb 18, 2022
Abusing Discord for unlimited cloud storage

Discord Cloud Storage Abusing Discord's servers for unlimited cloud storage! So, what is this? Infamous 8MB limit for non-nitro users can get pretty a

nekiwo 20 Jun 20, 2022
Pulumi - Modern Infrastructure as Code. Any cloud, any language 🚀

Pulumi's Infrastructure as Code SDK is the easiest way to create and deploy cloud software that use containers, serverless functions, hosted services,

Pulumi 12.8k Jun 27, 2022
Go server SDK for IBM Cloud Event Notifications service

IBM Cloud Event Notifications Go Admin SDK Go client library to interact with the various IBM Cloud Event Notifications APIs. Disclaimer: this SDK is

International Business Machines 0 Dec 10, 2021
Alibaba Cloud foasconsole SDK for Go

English | 简体中文 Alibaba Cloud foasconsole SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which v

null 0 Nov 1, 2021
Alibaba Cloud RMC SDK for Go

English | 简体中文 Alibaba Cloud RMC SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which version g

null 0 Nov 5, 2021
Alibaba Cloud BatchCompute SDK for Go

English | 简体中文 Alibaba Cloud BatchCompute SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which

null 0 Nov 15, 2021
Alibaba Cloud GEMP SDK for Go

English | 简体中文 Alibaba Cloud GEMP SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which version

null 0 Nov 16, 2021
Alibaba Cloud PTS SDK for Go

Alibaba Cloud PTS SDK for Go

null 0 Dec 27, 2021
Alibaba Cloud xixikf SDK for Go

English | 简体中文 Alibaba Cloud xixikf SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which versio

null 0 Nov 25, 2021
Alibaba Cloud sae SDK for Go

English | 简体中文 Alibaba Cloud sae SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which version g

null 0 Nov 26, 2021
Helps me find good enough stocks that pay enough dividends using IEX Cloud data provider.

divyield Helps me find good enough stocks that pay enough dividends using IEX Cloud data provider. Create database using the postgres/scripts/createdb

Péter Szakszon 0 Feb 4, 2022
Alibaba Cloud Eipanycast SDK for Go

English | 简体中文 Alibaba Cloud Eipanycast SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which ve

null 0 Dec 16, 2021
Alibaba Cloud BPStudio SDK for Go

English | 简体中文 Alibaba Cloud BPStudio SDK for Go Requirements It's necessary for you to make sure your system have installed Go environment which vers

null 0 Nov 26, 2021
A note taking app, that you can draw in, syncs to the cloud, and is on most platforms!

About NotDraw About · How to contribute · How to run · Trello · FAQ This is achived because I dont want to work on it anymore Structure Codebase Descr

YummyOreo 1 Dec 26, 2021