Skills

create-attack-technique

Installation
SKILL.md

Overview

Each attack technique is composed of two files, which should be stored in v2/internal/attacktechniques/<platform>/<mitre-attack-tactic>/<name> (e.g., v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/):

  • main.go, containing the imperative attack logic
  • most of the time, main.tf containing prerequisite infrastructure.

The lifecycle of an attack technique in Stratus Red Team is:

  • COLD
  • WARM: The prerequisite infrastructure is ready.
  • DETONATED: The attack technique was detonated.

Guiding principles

  • An attack technique should be granular, meaning that it should emulate a single step of an attack.

    • Good: Share an EBS snapshot with an external AWS account.
    • Bad: Use an IAM access key to perform privilege escalation, run discovery commands, take an EBS snapshot of an instance, share the EBS snapshot with an external AWS account.

  • Techniques should emulate plausible and documented attacker behavior

  • An attack technique should not be dependent on the state of the cloud environment it's run against.

Related skills

More from datadog/stratus-red-team

Installs
8
Repository
datadog/stratus-red-team
GitHub Stars
2.3K
First Seen
Feb 25, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass