Stratus Red Team is an open-source adversary emulation platform that simulates real-world cloud attacks across AWS, Azure, GCP, and Kubernetes. It’s designed for security teams to validate detections, test incident response procedures, and improve cloud security posture through controlled purple team exercises.
go install github.com/DataDog/stratus-red-team/v2/cmd/stratus@latest
stratus --version
# Download latest release
cd /tmp
wget https://github.com/DataDog/stratus-red-team/releases/download/v2.x.x/stratus-linux-x86_64
chmod +x stratus-linux-x86_64
sudo mv stratus-linux-x86_64 /usr/local/bin/stratus
brew install stratus-red-team
stratus --version
docker run datadog/stratus-red-team:latest stratus --help
docker run -e AWS_REGION=us-east-1 datadog/stratus-red-team:latest stratus list
docker run -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
-e AWS_REGION=us-east-1 \
datadog/stratus-red-team:latest stratus detonate aws.defense-evasion.cloudtrail-delete
stratus list
stratus list --platform aws
stratus list --platform azure
stratus list --platform gcp
stratus list --platform kubernetes
stratus list --mitre-attack-tactic credential-access
stratus list --mitre-attack-tactic defense-evasion
stratus list --mitre-attack-tactic discovery
stratus show aws.initial-access.console-login-without-mfa
stratus show azure.credential-access.add-member-to-group
stratus detonate aws.discovery.ec2-enumerate-instances
Stratus follows a structured lifecycle for each technique:
| Lifecycle Stage | Description | Command |
|---|
| Warmup | Pre-requisite setup (create test IAM user, EC2 instances) | stratus warmup <technique> |
| Detonate | Execute the attack technique | stratus detonate <technique> |
| Cleanup | Remove artifacts created during detonate | stratus detonate --cleanup |
| Revert | Undo all changes from warmup | stratus revert <technique> |
| Status | Check warmup/detonate state of technique | stratus status <technique> |
# 1. Warm up (creates test infrastructure)
stratus warmup aws.persistence.create-access-key
# 2. Detonate (runs the attack)
stratus detonate aws.persistence.create-access-key
# 3. View status
stratus status aws.persistence.create-access-key
# 4. Cleanup artifacts from detonate
stratus detonate --cleanup aws.persistence.create-access-key
# 5. Revert warmup changes
stratus revert aws.persistence.create-access-key
| Technique | Description |
|---|
aws.credential-access.ec2-get-password-data | Retrieve Windows instance password |
aws.credential-access.ec2-describe-security-groups | List security groups and rules |
aws.credential-access.iam-get-user | Enumerate IAM user details |
aws.credential-access.secretsmanager-list | List AWS Secrets Manager secrets |
| Technique | Description |
|---|
aws.persistence.create-access-key | Create IAM access keys for persistence |
aws.persistence.create-iam-user | Backdoor IAM user creation |
aws.persistence.create-login-profile | Add password-based console access |
aws.persistence.create-iam-role | Create privileged IAM role |
aws.persistence.lambda-invocation-role | Create Lambda execution role |
| Technique | Description |
|---|
aws.defense-evasion.cloudtrail-delete | Delete CloudTrail logs |
aws.defense-evasion.disable-cloudtrail | Disable CloudTrail logging |
aws.defense-evasion.disable-guardduty | Disable GuardDuty detections |
aws.defense-evasion.vpc-flow-logs-disable | Disable VPC Flow Logs |
aws.defense-evasion.s3-block-public-access-disable | Disable S3 public access block |
| Technique | Description |
|---|
aws.discovery.ec2-enumerate-instances | List EC2 instances and details |
aws.discovery.iam-enumerate-users | Enumerate IAM users |
aws.discovery.iam-enumerate-roles | Enumerate IAM roles |
aws.discovery.s3-list-buckets | List all S3 buckets |
aws.discovery.rds-describe-instances | Discover RDS database instances |
| Technique | Description |
|---|
aws.exfiltration.s3-download-object | Download objects from S3 bucket |
aws.exfiltration.ec2-snapshot-create | Create EC2 snapshot for data theft |
aws.exfiltration.rds-snapshot-create | Create RDS snapshot copy |
aws.exfiltration.logs-get-log-events | Extract CloudWatch logs |
| Technique | Description |
|---|
aws.initial-access.console-login-without-mfa | AWS console login without MFA |
aws.initial-access.ec2-launch-instance | Launch EC2 instance |
| Technique | Description |
|---|
aws.lateral-movement.iam-assume-role | Assume IAM role across accounts |
aws.lateral-movement.ec2-describe-instances | Enumerate instances for pivoting |
stratus show azure.credential-access.az-cli-list-user-credentials
| Technique | Description |
|---|
azure.credential-access.get-managed-identity-token | Extract managed identity tokens |
azure.credential-access.list-app-service-auth | Enumerate app service authentication |
| Technique | Description |
|---|
azure.persistence.create-service-principal | Create backdoor service principal |
azure.persistence.add-global-admin | Add global admin to Entra ID |
azure.persistence.app-service-publish | Publish backdoor app service |
stratus list --platform azure | grep entra
| Technique | Description |
|---|
azure.persistence.add-member-to-group | Add backdoor member to group |
azure.defense-evasion.disable-mfa-for-user | Disable MFA on target user |
| Technique | Description |
|---|
azure.discovery.list-subscriptions | Enumerate Azure subscriptions |
azure.discovery.list-app-services | Discover app service instances |
azure.discovery.list-keyvault-secrets | Enumerate Key Vault secrets |
stratus list --platform gcp | grep service-account
| Technique | Description |
|---|
gcp.persistence.iam-add-member | Add backdoor IAM member |
gcp.credential-access.get-service-account-keys | Enumerate service account keys |
| Technique | Description |
|---|
gcp.discovery.compute-instances | List Compute Engine instances |
gcp.discovery.list-cloud-sql | Enumerate Cloud SQL instances |
gcp.discovery.list-storage-buckets | List GCS buckets |
| Technique | Description |
|---|
gcp.defense-evasion.disable-cloud-audit-logs | Disable Cloud Audit Logging |
| Technique | Description |
|---|
kubernetes.persistence.create-pod | Create privileged pod |
kubernetes.privilege-escalation.create-clusterrole | Create ClusterRole for persistence |
| Technique | Description |
|---|
kubernetes.persistence.create-clusterrolebinding | Bind cluster admin role |
kubernetes.discovery.list-clusterroles | Enumerate available roles |
stratus detonate kubernetes.credential-access.list-secrets
| Technique | Description |
|---|
kubernetes.credential-access.list-secrets | Extract Kubernetes secrets |
kubernetes.credential-access.get-secret | Read specific secret value |
stratus list -o table
stratus list -o json | jq '.[] | .id'
# AWS + credential access
stratus list --platform aws --mitre-attack-tactic credential-access
# Azure + persistence
stratus list --platform azure --mitre-attack-tactic persistence
# Defense evasion across all platforms
stratus list --mitre-attack-tactic defense-evasion
# JSON output for scripting
stratus list --format json | jq '.[] | select(.tactic=="credential-access")'
# CSV export
stratus list --format csv > techniques.csv
stratus show aws.defense-evasion.cloudtrail-delete --format json
Warmup creates prerequisite infrastructure (IAM users, EC2 instances, S3 buckets) needed for techniques to run successfully.
stratus warmup aws.persistence.create-access-key
stratus warmup aws.discovery.ec2-enumerate-instances
stratus warmup aws.discovery.iam-enumerate-users
stratus status aws.persistence.create-access-key
# Some techniques support parameters
stratus warmup aws.discovery.ec2-enumerate-instances
stratus revert aws.persistence.create-access-key
Detonation executes the actual attack technique. Should be performed after successful warmup.
stratus detonate aws.initial-access.console-login-without-mfa
# Runs detonate + cleanup in one command
stratus detonate --cleanup aws.defense-evasion.cloudtrail-delete
stratus detonate --force aws.discovery.ec2-enumerate-instances
for technique in aws.discovery.ec2-enumerate-instances aws.discovery.iam-enumerate-users; do
stratus detonate $technique
done
stratus detonate --dry-run aws.persistence.create-access-key
stratus status aws.persistence.create-access-key
Warmup: ✓ done
Detonate: ✓ done
stratus revert aws.persistence.create-access-key
stratus detonate --cleanup aws.defense-evasion.cloudtrail-delete
stratus status aws.persistence.create-access-key --verbose
for technique in $(stratus list --platform aws --format json | jq -r '.[].id'); do
echo "=== $technique ==="
stratus status $technique 2>/dev/null | head -2
done
Stratus supports extending with custom techniques via JSON configuration.
techniques:
- id: custom.example.my-technique
name: My Custom Attack
description: Custom detection test
tactic: discovery
platforms:
- aws
prerequisites:
- iam:CreateUser
steps:
- name: Create test user
module: ec2
function: describe_instances
stratus detonate --techniques-dir ./custom_techniques custom.example.my-technique
# Verify AWS credentials
aws sts get-caller-identity
# Check Azure authentication
az account show
# Verify GCP credentials
gcloud auth list
# Check required IAM permissions
stratus show aws.persistence.create-access-key --show-permissions
# Ensure service account has necessary roles
gcloud projects get-iam-policy <project>
# Use verbose output
stratus warmup --verbose aws.persistence.create-access-key
# Check prerequisites
stratus show aws.persistence.create-access-key | grep -i prerequisite
# Force cleanup
stratus revert --force aws.persistence.create-access-key
# Manual cleanup may be required for failed techniques
aws iam delete-user --user-name stratus-<randomid>
# Add delays between detonations
for technique in $(stratus list --platform aws --format json | jq -r '.[].id'); do
stratus detonate $technique
sleep 5
done
| Practice | Details |
|---|
| Use Test Accounts | Run on isolated test AWS/Azure/GCP accounts, not production |
| Document Detection | Log all detonate events and correlate with SIEM detections |
| Cleanup After Tests | Always run cleanup/revert to remove test artifacts |
| Start Simple | Test individual techniques before batch execution |
| Monitor Logs | Enable CloudTrail, Azure Audit Logs, Cloud Audit Logs |
| Validate Detection | Verify your detection tools alert on technique execution |
| Schedule Tests | Run red team exercises on regular cadence (monthly/quarterly) |
| Team Communication | Notify relevant teams before purple team exercises |
| Review Results | Document which techniques triggered alerts and which didn’t |
| Iterate Detections | Update detection rules based on gaps identified |
#!/bin/bash
TECHNIQUE="aws.discovery.ec2-enumerate-instances"
echo "Starting red team exercise on $TECHNIQUE"
echo "1. Warming up..."
stratus warmup $TECHNIQUE
echo "2. Detonating attack..."
stratus detonate $TECHNIQUE
echo "3. Check your monitoring for alerts..."
sleep 30
echo "4. Cleaning up..."
stratus detonate --cleanup $TECHNIQUE
stratus revert $TECHNIQUE
echo "5. Verify cleanup..."
stratus status $TECHNIQUE
| Tool | Purpose |
|---|
| CALDERA | Multi-platform adversary emulation with plugin architecture |
| Atomic Red Team | Atomic techniques mapping directly to MITRE ATT&CK |
| Pacu | AWS exploitation and reconnaissance framework |
| CloudGoat | AWS-focused intentional vulnerability creator |
| Gremlin | Chaos engineering for cloud infrastructure testing |
| Kubelet | Kubernetes security assessment framework |
| Falco | Runtime security monitoring for cloud-native environments |
# Run Stratus technique and monitor with Falco
stratus detonate kubernetes.privilege-escalation.create-clusterrole &
falco -o json | jq '.rule'
# Automate with Atomic Red Team
stratus list --format json | jq '.[] | select(.platform=="aws")'
