MCPcopy
hub / github.com/DataDog/stratus-red-team

github.com/DataDog/stratus-red-team @v2.33.0 sqlite

repository ↗ · DeepWiki ↗ · release v2.33.0 ↗
794 symbols 2,744 edges 169 files 173 documented · 22%
README

Stratus Red Team

made-with-Go Tests static analysis OpenSSF Scorecard CII Best Practices

Stratus Red Team

Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.

Terminal recording

Read the announcement blog posts: - https://www.datadoghq.com/blog/cyber-attack-simulation-with-stratus-red-team/ - https://blog.christophetd.fr/introducing-stratus-red-team-an-adversary-emulation-tool-for-the-cloud/

Getting Started

Stratus Red Team is a self-contained Go binary.

See the documentation at stratus-red-team.cloud: - Stratus Red Team Concepts

Installation

Direct install

Requires Go 1.23+

go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest

Homebrew

brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team
brew install datadog/stratus-red-team/stratus-red-team

Pre-built binaries

For Linux / Windows / Mac OS: download one of the pre-built binaries.

Docker

IMAGE="ghcr.io/datadog/stratus-red-team"
alias stratus="docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-team/ -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_DEFAULT_REGION $IMAGE"

asdf

You can install specific versions (or latest) of stratus-red-team using asdf and this stratus-red-team plugin:

asdf plugin add stratus-red-team https://github.com/asdf-community/asdf-stratus-red-team.git
asdf install stratus-red-team latest

Community

The following section lists posts and projects from the community leveraging Stratus Red Team.

Open-source projects: - Threatest - AWS Threat Detection with Stratus Red Team

Videos: - Reproducing common attacks in the cloud with Stratus Red Team - Stratus Red Team: AWS EC2 Instance Credential Theft | Threat SnapShot - Automated Attack Simulation in AWS for Red Teaming

Blog posts: - AWS threat emulation and detection validation with Stratus Red Team and Datadog Cloud SIEM - Adversary emulation on AWS with Stratus Red Team and Wazuh - Sky’s the Limit: Stratus Red Team for Azure - Detecting realistic AWS cloud-attacks using Azure Sentinel - A Data Driven Comparison of Open Source Adversary Emulation Tools - Making Security Relevant in the Cloud - Detonating attacks with Datadog Stratus Red Team - AWS CloudTrail cheatsheet - Adversary emulation on GCP with Stratus Red Team and Wazuh - Automated First-Response in AWS using Sigma and Athena - AWS Cloud Detection Lab: Cloud Pen-testing with Stratus Red Team

Talks: - Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team, DEF CON Cloud Village 2022 (recorded after the event as the talks were not recorded) - Threat-Driven Development with Stratus Red Team by Ryan Marcotte Cobb - Cloudy With a Chance of Purple Rain: Leveraging Stratus Red Team - BSides Portland 2022

Papers: - A Purple Team Approach to Attack Automation in the Cloud Native Environment

Using Stratus Red Team as a Go Library

See Examples and Programmatic Usage.

Development

Building Locally

make
./bin/stratus --help

Running Locally

go run cmd/stratus/*.go list

Running the Tests

make test

Building the Documentation

For local usage:

pip install mkdocs-material mkdocs-awesome-pages-plugin

make docs
mkdocs serve

Acknowledgments

Core maintainers: Christophe Tafani-Dereeper (@christophetd), Simon Maréchal (@Minosity-VR).

Similar projects (see how Stratus Red Team compares): - Atomic Red Team by Red Canary - Leonidas by F-Secure - pacu by Rhino Security Labs - Amazon GuardDuty Tester - CloudGoat by Rhino Security Labs

Inspiration and relevant resources: - https://expel.io/blog/mind-map-for-aws-investigations/ - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ - https://github.com/elastic/detection-rules/tree/main/rules/integrations/aws

Extension points exported contracts — how you extend this code

Config (Interface)
Config is the root configuration structure. It is used to override techniques specifications. It can set variables in T [2 …
v2/pkg/stratus/config/config.go
StateManager (Interface)
(no doc) [3 implementers]
v2/internal/state/state.go
CloudProviders (Interface)
CloudProviders provides a unified interface to access the various cloud providers SDKs [1 implementers]
v2/pkg/stratus/providers.go
GCPProviderOption (FuncType)
GCPProviderOption configures optional overrides on a GCPProvider.
v2/internal/providers/gcp.go
TerraformManager (Interface)
(no doc) [3 implementers]
v2/pkg/stratus/runner/terraform.go
AWSProviderOption (FuncType)
AWSProviderOption configures optional overrides on an AWSProvider.
v2/internal/providers/aws.go
KubernetesConfig (Interface)
KubernetesConfig holds Kubernetes-specific configuration [1 implementers]
v2/pkg/stratus/config/kubernetes.go
EKSProviderOption (FuncType)
EKSProviderOption configures optional overrides on an EKSProvider.
v2/internal/providers/eks.go

Core symbols most depended-on inside this repo

RegisterAttackTechnique
called by 105
v2/pkg/stratus/registry.go
String
called by 83
v2/pkg/stratus/attack_technique.go
AWS
called by 72
v2/pkg/stratus/providers.go
GetConnection
called by 70
v2/internal/providers/aws.go
GCP
called by 44
v2/pkg/stratus/providers.go
Azure
called by 42
v2/pkg/stratus/providers.go
Options
called by 37
v2/internal/providers/gcp.go
GetCredentials
called by 33
v2/internal/providers/azure.go

Shape

Function 559
Method 162
Struct 54
FuncType 8
Interface 7
TypeAlias 4

Languages

Go100%
TypeScript1%

Modules by API surface

v2/internal/state/state.go41 symbols
v2/pkg/stratus/providers.go29 symbols
v2/pkg/stratus/runner/runner.go28 symbols
v2/internal/state/s3_state.go20 symbols
v2/internal/attacktechniques/aws/impact/bedrock-invoke-model/main.go18 symbols
v2/pkg/stratus/runner/terraform.go14 symbols
v2/internal/attacktechniques/azure/impact/blob-ransomware-service-storage-cmk/main.go14 symbols
v2/internal/attacktechniques/azure/impact/blob-ransomware-client-encryption-scope/main.go13 symbols
v2/pkg/stratus/runner/runner_test.go12 symbols
v2/internal/state/mocks/StateManager.go12 symbols
v2/pkg/stratus/config/config.go11 symbols
v2/internal/attacktechniques/azure/persistence/backdoor-managed-identity-fic/main.go11 symbols

Dependencies from manifests, versioned

cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/computev1.54.0 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/monitoringv1.24.3 · 1×
cloud.google.com/go/secretmanagerv1.16.0 · 1×
cloud.google.com/go/storagev1.62.1 · 1×
github.com/Azure/azure-sdk-for-go/sdk/azcorev1.20.0 · 1×
github.com/Azure/azure-sdk-for-go/sdk/azidentityv1.13.1 · 1×

For agents

$ claude mcp add stratus-red-team \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact