emulating-cloud-attacks-with-stratus-red-team

Installation
SKILL.md

Emulating Cloud Attacks with Stratus Red Team

Legal Notice: This skill is for authorized security testing and detection-validation purposes only. Stratus Red Team spins up and modifies real cloud infrastructure in the account whose credentials you supply. Only run it in accounts you own or are explicitly authorized to test. Always cleanup afterwards to avoid orphaned, billable, or insecure resources. Unauthorized use against systems you do not control is illegal.

Overview

Stratus Red Team is an open-source "Atomic Red Team for the cloud," maintained by Datadog. It is a self-contained Go binary that programmatically detonates granular, well-documented offensive techniques against AWS, Azure, GCP, and Kubernetes, then lets you cleanly revert and remove everything it created. Unlike a full exploitation framework, Stratus is purpose-built for detection engineering and purple teaming: each technique maps to a MITRE ATT&CK tactic and ships with a precise description of the cloud API calls it generates, so a blue team can confirm whether their CloudTrail/GuardDuty/Sentinel/Falco detections actually fire.

Every technique has a deterministic lifecycle. Stratus first provisions any prerequisite infrastructure with embedded Terraform (the warmup phase), then performs the malicious actions (detonate), optionally reverts the side effects so you can detonate again, and finally cleanups the prerequisite infrastructure. Because the prerequisites and the attack are decoupled, you can iterate on a detection by detonating the same technique repeatedly without re-provisioning. The tool uses your standard cloud SDK credential chain (AWS profiles/env vars, az login, GCP ADC, kubeconfig), so it operates with exactly the permissions of the identity you authenticate as.

This skill covers installing Stratus, listing and filtering the technique catalog, running the full warmup-detonate-revert-cleanup lifecycle, mapping detonations to the telemetry they produce, and wiring the results into a detection-validation workflow. Source: github.com/DataDog/stratus-red-team and stratus-red-team.cloud official documentation.

When to Use

  • Validating that a new or existing cloud detection rule (CloudTrail, GuardDuty, Microsoft Sentinel, GCP SCC, Falco) actually triggers on real attacker activity
  • Building a repeatable purple-team exercise for cloud TTPs without writing bespoke attack scripts
  • Generating realistic, MITRE-mapped telemetry to test SIEM ingestion and alert routing
  • Measuring detection coverage of a cloud environment against a known catalog of techniques
  • Onboarding analysts with safe, reversible hands-on cloud attack simulations
Installs
7
GitHub Stars
24.7K
First Seen
14 days ago
emulating-cloud-attacks-with-stratus-red-team — mukul975/anthropic-cybersecurity-skills