Stratus Red Team is an open-source adversary emulation platform that simulates real-world cloud attacks across AWS, Azure, GCP, and Kubernetes. It’s designed for security teams to validate detections, test incident response procedures, and improve cloud security posture through controlled purple team exercises.
Installation
Go Install
go install github.com/DataDog/stratus-red-team/v2/cmd/stratus@latest
stratus --version
GitHub Release Download
# Download latest release
cd /tmp
wget https://github.com/DataDog/stratus-red-team/releases/download/v2.x.x/stratus-linux-x86_64
chmod +x stratus-linux-x86_64
sudo mv stratus-linux-x86_64 /usr/local/bin/stratus
Homebrew (macOS)
brew install stratus-red-team
stratus --version
Docker
docker run datadog/stratus-red-team:latest stratus --help
docker run -e AWS_REGION=us-east-1 datadog/stratus-red-team:latest stratus list
Docker with AWS Credentials
docker run -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
-e AWS_REGION=us-east-1 \
datadog/stratus-red-team:latest stratus detonate aws.defense-evasion.cloudtrail-delete
Quick Start
List All Available Techniques
stratus list
stratus list --platform aws
stratus list --platform azure
stratus list --platform gcp
stratus list --platform kubernetes
Filter by MITRE ATT&CK Tactic
stratus list --mitre-attack-tactic credential-access
stratus list --mitre-attack-tactic defense-evasion
stratus list --mitre-attack-tactic discovery
View Technique Details
stratus show aws.initial-access.console-login-without-mfa
stratus show azure.credential-access.add-member-to-group
Quick Detonate Technique
stratus detonate aws.discovery.ec2-enumerate-instances
Attack Technique Lifecycle
Stratus follows a structured lifecycle for each technique:
| Lifecycle Stage | Description | Command |
|---|
| Warmup | Pre-requisite setup (create test IAM user, EC2 instances) | stratus warmup <technique> |
| Detonate | Execute the attack technique | stratus detonate <technique> |
| Cleanup | Remove artifacts created during detonate | stratus detonate --cleanup |
| Revert | Undo all changes from warmup | stratus revert <technique> |
| Status | Check warmup/detonate state of technique | stratus status <technique> |
Typical Workflow
# 1. Warm up (creates test infrastructure)
stratus warmup aws.persistence.create-access-key
# 2. Detonate (runs the attack)
stratus detonate aws.persistence.create-access-key
# 3. View status
stratus status aws.persistence.create-access-key
# 4. Cleanup artifacts from detonate
stratus detonate --cleanup aws.persistence.create-access-key
# 5. Revert warmup changes
stratus revert aws.persistence.create-access-key
AWS Techniques
Credential Access
| Technique | Description |
|---|
aws.credential-access.ec2-get-password-data | Retrieve Windows instance password |
aws.credential-access.ec2-describe-security-groups | List security groups and rules |
aws.credential-access.iam-get-user | Enumerate IAM user details |
aws.credential-access.secretsmanager-list | List AWS Secrets Manager secrets |
Persistence
| Technique | Description |
|---|
aws.persistence.create-access-key | Create IAM access keys for persistence |
aws.persistence.create-iam-user | Backdoor IAM user creation |
aws.persistence.create-login-profile | Add password-based console access |
aws.persistence.create-iam-role | Create privileged IAM role |
aws.persistence.lambda-invocation-role | Create Lambda execution role |
Defense Evasion
| Technique | Description |
|---|
aws.defense-evasion.cloudtrail-delete | Delete CloudTrail logs |
aws.defense-evasion.disable-cloudtrail | Disable CloudTrail logging |
aws.defense-evasion.disable-guardduty | Disable GuardDuty detections |
aws.defense-evasion.vpc-flow-logs-disable | Disable VPC Flow Logs |
aws.defense-evasion.s3-block-public-access-disable | Disable S3 public access block |
Discovery
| Technique | Description |
|---|
aws.discovery.ec2-enumerate-instances | List EC2 instances and details |
aws.discovery.iam-enumerate-users | Enumerate IAM users |
aws.discovery.iam-enumerate-roles | Enumerate IAM roles |
aws.discovery.s3-list-buckets | List all S3 buckets |
aws.discovery.rds-describe-instances | Discover RDS database instances |
Exfiltration
| Technique | Description |
|---|
aws.exfiltration.s3-download-object | Download objects from S3 bucket |
aws.exfiltration.ec2-snapshot-create | Create EC2 snapshot for data theft |
aws.exfiltration.rds-snapshot-create | Create RDS snapshot copy |
aws.exfiltration.logs-get-log-events | Extract CloudWatch logs |
Initial Access
| Technique | Description |
|---|
aws.initial-access.console-login-without-mfa | AWS console login without MFA |
aws.initial-access.ec2-launch-instance | Launch EC2 instance |
Lateral Movement
| Technique | Description |
|---|
aws.lateral-movement.iam-assume-role | Assume IAM role across accounts |
aws.lateral-movement.ec2-describe-instances | Enumerate instances for pivoting |
Azure Techniques
Credential Access
stratus show azure.credential-access.az-cli-list-user-credentials
| Technique | Description |
|---|
azure.credential-access.get-managed-identity-token | Extract managed identity tokens |
azure.credential-access.list-app-service-auth | Enumerate app service authentication |
Persistence
| Technique | Description |
|---|
azure.persistence.create-service-principal | Create backdoor service principal |
azure.persistence.add-global-admin | Add global admin to Entra ID |
azure.persistence.app-service-publish | Publish backdoor app service |
Entra ID (Azure AD) Attacks
stratus list --platform azure | grep entra
| Technique | Description |
|---|
azure.persistence.add-member-to-group | Add backdoor member to group |
azure.defense-evasion.disable-mfa-for-user | Disable MFA on target user |
Discovery
| Technique | Description |
|---|
azure.discovery.list-subscriptions | Enumerate Azure subscriptions |
azure.discovery.list-app-services | Discover app service instances |
azure.discovery.list-keyvault-secrets | Enumerate Key Vault secrets |
GCP Techniques
Service Account Abuse
stratus list --platform gcp | grep service-account
| Technique | Description |
|---|
gcp.persistence.iam-add-member | Add backdoor IAM member |
gcp.credential-access.get-service-account-keys | Enumerate service account keys |
Compute Discovery
| Technique | Description |
|---|
gcp.discovery.compute-instances | List Compute Engine instances |
gcp.discovery.list-cloud-sql | Enumerate Cloud SQL instances |
gcp.discovery.list-storage-buckets | List GCS buckets |
Defense Evasion
| Technique | Description |
|---|
gcp.defense-evasion.disable-cloud-audit-logs | Disable Cloud Audit Logging |
Kubernetes Techniques
Pod Creation & Escape
| Technique | Description |
|---|
kubernetes.persistence.create-pod | Create privileged pod |
kubernetes.privilege-escalation.create-clusterrole | Create ClusterRole for persistence |
RBAC Abuse
| Technique | Description |
|---|
kubernetes.persistence.create-clusterrolebinding | Bind cluster admin role |
kubernetes.discovery.list-clusterroles | Enumerate available roles |
Secrets Access
stratus detonate kubernetes.credential-access.list-secrets
| Technique | Description |
|---|
kubernetes.credential-access.list-secrets | Extract Kubernetes secrets |
kubernetes.credential-access.get-secret | Read specific secret value |
Listing and Filtering
Comprehensive List with Details
stratus list -o table
stratus list -o json | jq '.[] | .id'
Filter by Multiple Criteria
# AWS + credential access
stratus list --platform aws --mitre-attack-tactic credential-access
# Azure + persistence
stratus list --platform azure --mitre-attack-tactic persistence
# Defense evasion across all platforms
stratus list --mitre-attack-tactic defense-evasion
# JSON output for scripting
stratus list --format json | jq '.[] | select(.tactic=="credential-access")'
# CSV export
stratus list --format csv > techniques.csv
Search by Technique ID
stratus show aws.defense-evasion.cloudtrail-delete --format json
Warming Up
Warmup creates prerequisite infrastructure (IAM users, EC2 instances, S3 buckets) needed for techniques to run successfully.
Basic Warmup
stratus warmup aws.persistence.create-access-key
stratus warmup aws.discovery.ec2-enumerate-instances
stratus warmup aws.discovery.iam-enumerate-users
Check Warmup Status
stratus status aws.persistence.create-access-key
Warmup with Custom Parameters
# Some techniques support parameters
stratus warmup aws.discovery.ec2-enumerate-instances
Cleanup Warmup Resources
stratus revert aws.persistence.create-access-key
Detonation
Detonation executes the actual attack technique. Should be performed after successful warmup.
Basic Detonate
stratus detonate aws.initial-access.console-login-without-mfa
Detonate with Cleanup
# Runs detonate + cleanup in one command
stratus detonate --cleanup aws.defense-evasion.cloudtrail-delete
Force Detonate (Skip Warmup Check)
stratus detonate --force aws.discovery.ec2-enumerate-instances
Detonate Multiple Techniques
for technique in aws.discovery.ec2-enumerate-instances aws.discovery.iam-enumerate-users; do
stratus detonate $technique
done
Dry Run (No Changes)
stratus detonate --dry-run aws.persistence.create-access-key
Status Management
Check Technique Status
stratus status aws.persistence.create-access-key
Status Output Indicates
Warmup: ✓ done
Detonate: ✓ done
Revert All Changes
stratus revert aws.persistence.create-access-key
Cleanup Detonate Artifacts
stratus detonate --cleanup aws.defense-evasion.cloudtrail-delete
View Cleanup Logs
stratus status aws.persistence.create-access-key --verbose
Batch Status Check
for technique in $(stratus list --platform aws --format json | jq -r '.[].id'); do
echo "=== $technique ==="
stratus status $technique 2>/dev/null | head -2
done
Custom Techniques
Stratus supports extending with custom techniques via JSON configuration.
Custom Technique Structure
techniques:
- id: custom.example.my-technique
name: My Custom Attack
description: Custom detection test
tactic: discovery
platforms:
- aws
prerequisites:
- iam:CreateUser
steps:
- name: Create test user
module: ec2
function: describe_instances
Load Custom Techniques
stratus detonate --techniques-dir ./custom_techniques custom.example.my-technique
Troubleshooting
Authentication Issues
# Verify AWS credentials
aws sts get-caller-identity
# Check Azure authentication
az account show
# Verify GCP credentials
gcloud auth list
Permission Denied Errors
# Check required IAM permissions
stratus show aws.persistence.create-access-key --show-permissions
# Ensure service account has necessary roles
gcloud projects get-iam-policy <project>
Technique Won’t Warm Up
# Use verbose output
stratus warmup --verbose aws.persistence.create-access-key
# Check prerequisites
stratus show aws.persistence.create-access-key | grep -i prerequisite
Cleanup Failures
# Force cleanup
stratus revert --force aws.persistence.create-access-key
# Manual cleanup may be required for failed techniques
aws iam delete-user --user-name stratus-<randomid>
Rate Limiting
# Add delays between detonations
for technique in $(stratus list --platform aws --format json | jq -r '.[].id'); do
stratus detonate $technique
sleep 5
done
Best Practices
| Practice | Details |
|---|
| Use Test Accounts | Run on isolated test AWS/Azure/GCP accounts, not production |
| Document Detection | Log all detonate events and correlate with SIEM detections |
| Cleanup After Tests | Always run cleanup/revert to remove test artifacts |
| Start Simple | Test individual techniques before batch execution |
| Monitor Logs | Enable CloudTrail, Azure Audit Logs, Cloud Audit Logs |
| Validate Detection | Verify your detection tools alert on technique execution |
| Schedule Tests | Run red team exercises on regular cadence (monthly/quarterly) |
| Team Communication | Notify relevant teams before purple team exercises |
| Review Results | Document which techniques triggered alerts and which didn’t |
| Iterate Detections | Update detection rules based on gaps identified |
Example Full Workflow
#!/bin/bash
TECHNIQUE="aws.discovery.ec2-enumerate-instances"
echo "Starting red team exercise on $TECHNIQUE"
echo "1. Warming up..."
stratus warmup $TECHNIQUE
echo "2. Detonating attack..."
stratus detonate $TECHNIQUE
echo "3. Check your monitoring for alerts..."
sleep 30
echo "4. Cleaning up..."
stratus detonate --cleanup $TECHNIQUE
stratus revert $TECHNIQUE
echo "5. Verify cleanup..."
stratus status $TECHNIQUE
| Tool | Purpose |
|---|
| CALDERA | Multi-platform adversary emulation with plugin architecture |
| Atomic Red Team | Atomic techniques mapping directly to MITRE ATT&CK |
| Pacu | AWS exploitation and reconnaissance framework |
| CloudGoat | AWS-focused intentional vulnerability creator |
| Gremlin | Chaos engineering for cloud infrastructure testing |
| Kubelet | Kubernetes security assessment framework |
| Falco | Runtime security monitoring for cloud-native environments |
Integration Examples
# Run Stratus technique and monitor with Falco
stratus detonate kubernetes.privilege-escalation.create-clusterrole &
falco -o json | jq '.rule'
# Automate with Atomic Red Team
stratus list --format json | jq '.[] | select(.platform=="aws")'
