### Install and Run Stratus Red Team Detonation Script Source: https://github.com/datadog/stratus-red-team/blob/main/examples/basic/README.md Use these commands to get the Stratus Red Team library and run the example script for detonating an attack technique. Ensure you have Go installed. ```bash go get github.com/datadog/stratus-red-team go get -d go run detonate_stratus_red_team_technique.go ``` -------------------------------- ### Install and Run Custom Attack Technique Source: https://github.com/datadog/stratus-red-team/blob/main/examples/custom/README.md Use these Go commands to get the Stratus Red Team project and run a custom attack technique. Ensure you have Go installed and configured. ```bash go get github.com/datadog/stratus-red-team go get -d go run detonate_custom_technique.go ``` -------------------------------- ### Build Stratus Red Team Documentation Source: https://github.com/datadog/stratus-red-team/blob/main/README.md Install necessary Python packages and build the documentation locally. Requires 'mkdocs-material' and 'mkdocs-awesome-pages-plugin'. ```bash pip install mkdocs-material mkdocs-awesome-pages-plugin make docs mkdocs serve ``` -------------------------------- ### Run Stratus Red Team Example Source: https://github.com/datadog/stratus-red-team/blob/main/examples/credential-injection/README.md Execute the main Go program to run the Stratus Red Team example. This command assumes that the necessary AWS credentials have been exported in the previous step. ```bash go run main.go ``` -------------------------------- ### Setup Bash Autocompletion on Linux Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/autocompletion.md Installs bash-completion and configures Stratus CLI autocompletion for bash on Linux. Requires sudo privileges for system-wide installation. ```bash # Install bash-completion if necessary sudo apt install bash-completion sudo mkdir -p /etc/bash_completion.d stratus completion bash | sudo tee /etc/bash_completion.d/stratus > /dev/null echo "source /etc/bash_completion" >> ~/.bashrc ``` -------------------------------- ### Install Stratus Red Team using Homebrew Source: https://github.com/datadog/stratus-red-team/blob/main/README.md Install Stratus Red Team via Homebrew by tapping the repository and installing the formula. ```bash brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team brew install datadog/stratus-red-team/stratus-red-team ``` -------------------------------- ### Setup Bash Autocompletion on macOS Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/autocompletion.md Installs bash-completion and configures Stratus CLI autocompletion for bash on macOS. Ensure Homebrew is installed. ```bash # Install bash-completion if necessary brew install bash-completion stratus completion bash > /usr/local/etc/bash_completion.d/stratus echo "source /usr/local/etc/bash_completion" >> ~/.bashrc ``` -------------------------------- ### Setup Fish Autocompletion Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/autocompletion.md Sets up Stratus CLI autocompletion for the fish shell by directing the completion script to the appropriate configuration directory. ```fish stratus completion fish > ~/.config/fish/completions/stratus.fish ``` -------------------------------- ### Install Stratus Red Team using Go Source: https://github.com/datadog/stratus-red-team/blob/main/README.md Install the Stratus Red Team CLI using the Go package manager. Requires Go 1.23+. ```bash go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest ``` -------------------------------- ### Install and Run Stratus Red Team Source: https://github.com/datadog/stratus-red-team/blob/main/examples/runner-options/README.md Commands to get the Stratus Red Team project and run the main application. ```bash go get github.com/datadog/stratus-red-team go get -d go run main.go ``` -------------------------------- ### Install Stratus CLI with Homebrew Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/getting-started.md Installs the Stratus Red Team command-line interface using Homebrew. This method involves tapping the Datadog repository and then installing the package. ```bash brew tap "datadog/stratus-red-team" "https://github.com/DataDog/stratus-red-team" brew install datadog/stratus-red-team/stratus-red-team ``` -------------------------------- ### Install Stratus Red Team with asdf Source: https://github.com/datadog/stratus-red-team/blob/main/README.md Install Stratus Red Team using the asdf version manager and its community plugin. Installs the latest version. ```bash asdf plugin add stratus-red-team https://github.com/asdf-community/asdf-stratus-red-team.git asdf install stratus-red-team latest ``` -------------------------------- ### Stratus Red Team Detonation Output Example Source: https://github.com/datadog/stratus-red-team/blob/main/examples/basic/README.md This is a sample output from running the `detonate_stratus_red_team_technique.go` script. It shows the process of warming up, detonating, and cleaning up the `aws.defense-evasion.cloudtrail-stop` technique. ```text aws.defense-evasion.cloudtrail-stop 2022/01/21 15:55:11 Checking your authentication against the AWS API 2022/01/21 15:55:12 Warming up aws.defense-evasion.cloudtrail-stop 2022/01/21 15:55:12 Initializing Terraform to spin up technique prerequisites 2022/01/21 15:55:20 Applying Terraform to spin up technique prerequisites 2022/01/21 15:55:45 CloudTrail trail arn:aws:cloudtrail:us-east-1:751353041310:trail/my-cloudtrail-trail ready TTP is warm! Press enter to detonate it 2022/01/21 15:55:49 Not warming up - aws.defense-evasion.cloudtrail-stop is already warm. Use --force to force 2022/01/21 15:55:49 Stopping CloudTrail trail my-cloudtrail-trail 2022/01/21 15:55:49 Cleaning up aws.defense-evasion.cloudtrail-stop 2022/01/21 15:55:49 Reverting detonation of technique aws.defense-evasion.cloudtrail-stop 2022/01/21 15:55:49 Restarting CloudTrail trail my-cloudtrail-trail 2022/01/21 15:55:50 Cleaning up technique prerequisites with terraform destroy ``` -------------------------------- ### Example JSON Log Entry Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/AWS/aws.execution.ssm-send-command.md This is an example of a JSON log entry, likely used for auditing or event tracking within the Stratus-Red-Team project. It shows user and authentication details. ```json { "userName": "christophe" } } ] ``` -------------------------------- ### Sample Output of Custom Attack Technique Detonation Source: https://github.com/datadog/stratus-red-team/blob/main/examples/custom/README.md This is an example of the output you can expect when detonating a custom attack technique. It shows the stages of warming up, initializing prerequisites, and cleanup. ```text 2022/01/21 15:51:56 Checking your authentication against the AWS API 2022/01/21 15:51:57 Warming up my-sample-attack-technique 2022/01/21 15:51:57 Initializing Terraform to spin up technique prerequisites 2022/01/21 15:52:06 Applying Terraform to spin up technique prerequisites 2022/01/21 15:52:16 IAM user stratus-red-team-giteeygx is ready TTP is warm! Press enter to detonate it 2022/01/21 15:52:54 Not warming up - my-sample-attack-technique is already warm. Use --force to force 2022/01/21 15:52:54 The ARN of our IAM user is: arn:aws:iam::012345678912:user/stratus-red-team-giteeygx 2022/01/21 15:52:54 Cleaning up my-sample-attack-technique 2022/01/21 15:52:54 Cleaning up technique prerequisites with terraform destroy ``` -------------------------------- ### Install Stratus Red Team as a Go Dependency Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/programmatic-usage.md Use these commands to add Stratus Red Team to your Go project and download dependencies. ```bash go get github.com/datadog/stratus-red-team/v2 go get -d ``` -------------------------------- ### Setup Zsh Autocompletion Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/autocompletion.md Configures Stratus CLI autocompletion for zsh. This involves updating the zshrc file and placing the completion script in the fpath directory. ```zsh echo "autoload -U compinit; compinit" >> ~/.zshrc source ~/.zshrc stratus completion zsh > "${fpath[1]}/_stratus" ``` -------------------------------- ### Warm up a single attack technique Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/warmup.md Use this command to prepare the prerequisites for a specific attack technique. Ensure the technique name is correctly provided. ```bash stratus warmup aws.exfiltration.ec2-share-ami ``` -------------------------------- ### Cleanup IAM Resources Source: https://github.com/datadog/stratus-red-team/blob/main/examples/credential-injection/README.md This script removes the 'cloudtrail-stop' policy and the 'stratus-attacker' IAM role created during the setup process. Ensure you have completed the example before running this cleanup. ```bash aws iam delete-role-policy --role-name stratus-attacker --policy-name cloudtrail-stop aws iam delete-role --role-name stratus-attacker ``` -------------------------------- ### Warm up multiple attack techniques Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/warmup.md This command allows you to prepare the prerequisites for several attack techniques simultaneously. List all desired technique names separated by spaces. ```bash stratus warmup aws.exfiltration.ec2-share-ami aws.exfiltration.s3-backdoor-bucket-policy ``` -------------------------------- ### Show Technique Details Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/usage.md Use 'stratus show' followed by the technique ID to view its description, warm-up, and detonation steps. This command provides an overview of a specific technique's functionality. ```bash stratus show aws.exfiltration.ec2-share-ebs-snapshot ``` -------------------------------- ### Sample CLI Autocompletion Usage Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/autocompletion.md Demonstrates how to trigger autocompletion in the Stratus CLI. Use the tab key to see available commands and arguments. ```bash stratus deton[tab] ``` ```bash stratus detonate aws[tab][tab] ``` -------------------------------- ### Generate Attack Technique Documentation Source: https://github.com/datadog/stratus-red-team/blob/main/AGENTS.md Automatically generate attack technique documentation by running 'make docs'. ```bash make docs ``` -------------------------------- ### Build and Run Custom Stratus CLI Source: https://github.com/datadog/stratus-red-team/blob/main/examples/custom_expand_cli/README.md Build the custom Stratus CLI using 'make build' and then run it to execute custom attacks. Ensure your custom attack techniques are correctly imported and registered. ```bash # Build the custom CLI make build ``` ```bash # Run the CLI ./stratus show my-sample-attack-technique ``` -------------------------------- ### Detonate Disk Export with Stratus Red Team Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/azure/azure.exfiltration.disk-export.md Use this command to detonate the 'azure.exfiltration.disk-export' technique. Ensure Stratus Red Team is installed and configured. ```bash stratus detonate azure.exfiltration.disk-export ``` -------------------------------- ### Basic Runner Usage in Go Source: https://context7.com/datadog/stratus-red-team/llms.txt Demonstrates programmatic usage of the Runner interface to warm up, detonate, revert, and clean up attack techniques using the Stratus Red Team Go library. Ensure necessary imports and handle potential errors during execution. ```go package main import ( "fmt" "log" "github.com/datadog/stratus-red-team/v2/pkg/stratus" _ "github.com/datadog/stratus-red-team/v2/pkg/stratus/loader" stratusrunner "github.com/datadog/stratus-red-team/v2/pkg/stratus/runner" ) func main() { // Get attack technique from registry ttp := stratus.GetRegistry().GetAttackTechniqueByName("aws.defense-evasion.cloudtrail-stop") if ttp == nil { log.Fatal("Technique not found") } // Create runner (use StratusRunnerForce to override idempotency checks) runner := stratusrunner.NewRunner(ttp, stratusrunner.StratusRunnerNoForce) // Warm up prerequisites (creates CloudTrail trail via Terraform) outputs, err := runner.WarmUp() if err != nil { log.Fatalf("Could not warm up TTP: %v", err) } fmt.Printf("Warm-up complete, outputs: %v\n", outputs) // Ensure cleanup on exit defer func() { if err := runner.CleanUp(); err != nil { log.Printf("Cleanup failed: %v", err) } }() // Detonate the attack technique if err := runner.Detonate(); err != nil { log.Fatalf("Could not detonate TTP: %v", err) } fmt.Println("Detonation complete") // Check current state fmt.Printf("Current state: %s\n", runner.GetState()) // Revert the detonation (re-enables CloudTrail) if err := runner.Revert(); err != nil { log.Fatalf("Could not revert TTP: %v", err) } fmt.Println("Revert complete") } ``` -------------------------------- ### Detonate Discovery Commands on EC2 Instance Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md Use this command to detonate the discovery commands on an EC2 instance. Ensure Stratus Red Team is installed and configured. ```bash stratus detonate aws.discovery.ec2-enumerate-from-instance ``` -------------------------------- ### Detonate with Stratus Red Team Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors.md Use this command to execute the CloudTrail event selector modification. Ensure Stratus Red Team is installed and configured for AWS. ```bash stratus detonate aws.defense-evasion.cloudtrail-event-selectors ``` -------------------------------- ### Run Unit Tests Source: https://github.com/datadog/stratus-red-team/blob/main/AGENTS.md Execute unit tests for Stratus Red Team using the 'make test' command. ```bash make test ``` -------------------------------- ### Add Stratus Red Team as Go Library Dependency Source: https://context7.com/datadog/stratus-red-team/llms.txt Include the Stratus Red Team library as a dependency in your Go project using 'go get'. ```bash go get github.com/datadog/stratus-red-team/v2 ``` -------------------------------- ### Querying Attack Techniques by Platform and Tactic in Go Source: https://context7.com/datadog/stratus-red-team/llms.txt Demonstrates how to query the Stratus Red Team registry for attack techniques. You can list all techniques, retrieve a specific technique by name, or filter techniques by platform and MITRE ATT&CK tactics. ```go package main import ( "fmt" "github.com/datadog/stratus-red-team/v2/pkg/stratus" _ "github.com/datadog/stratus-red-team/v2/pkg/stratus/loader" "github.com/datadog/stratus-red-team/v2/pkg/stratus/mitreattack" ) func main() { registry := stratus.GetRegistry() // List all techniques allTechniques := registry.ListAttackTechniques() fmt.Printf("Total techniques: %d\n", len(allTechniques)) // Get specific technique by ID ttp := registry.GetAttackTechniqueByName("aws.persistence.iam-backdoor-role") if ttp != nil { fmt.Printf("Found: %s - %s\n", ttp.ID, ttp.FriendlyName) fmt.Printf("Platform: %s\n", ttp.Platform) fmt.Printf("Idempotent: %v\n", ttp.IsIdempotent) fmt.Printf("MITRE ATT&CK Tactics: %v\n", ttp.MitreAttackTactics) } // Filter techniques by platform awsFilter := &stratus.AttackTechniqueFilter{Platform: stratus.AWS} awsTechniques := registry.GetAttackTechniques(awsFilter) fmt.Printf("AWS techniques: %d\n", len(awsTechniques)) // Filter by platform and tactic persistenceFilter := &stratus.AttackTechniqueFilter{ Platform: stratus.AWS, Tactic: mitreattack.Persistence, } persistenceTechniques := registry.GetAttackTechniques(persistenceFilter) fmt.Printf("AWS Persistence techniques: %d\n", len(persistenceTechniques)) for _, t := range persistenceTechniques { fmt.Printf(" - %s: %s\n", t.ID, t.FriendlyName) } } ``` -------------------------------- ### Detonate Azure Blob Ransomware with Stratus Red Team Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/azure/azure.impact.blob-ransomware-individual-file-deletion.md Execute the Azure ransomware simulation using the Stratus Red Team CLI. Ensure you have the tool installed and configured for Azure. ```bash stratus detonate azure.impact.blob-ransomware-individual-file-deletion ``` -------------------------------- ### Warm up Stratus Red Team techniques Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/examples.md Prepare your live environment with the prerequisites for attack techniques using the `stratus warmup` command. This should be done ahead of detonation. ```bash stratus warmup aws.defense-evasion.cloudtrail-stop aws.defense-evasion.vpc-remove-flow-logs aws.persistence.iam-backdoor-user ``` -------------------------------- ### Detonate Azure VM Run Command Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/azure/azure.execution.vm-run-command.md Use this command to execute the 'Run Command' technique on an Azure virtual machine. Ensure you have the Stratus Red Team tool installed and configured. ```bash stratus detonate azure.execution.vm-run-command ``` -------------------------------- ### Build Stratus Red Team Locally Source: https://github.com/datadog/stratus-red-team/blob/main/README.md Use this command to build the Stratus Red Team project locally. It requires a 'make' command to execute. ```bash make ./bin/stratus --help ``` -------------------------------- ### Detonate S3 Ransomware with Stratus Red Team Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/AWS/aws.impact.s3-ransomware-individual-deletion.md Execute the S3 ransomware simulation using the Stratus Red Team CLI. Ensure the Stratus CLI is installed and configured for AWS. ```bash stratus detonate aws.impact.s3-ransomware-individual-deletion ``` -------------------------------- ### List all available attack techniques Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/list.md Use this command to view all attack techniques supported by Stratus-Red-Team. No specific filters are applied. ```bash stratus list ``` -------------------------------- ### Show Attack Technique Details with Stratus CLI Source: https://context7.com/datadog/stratus-red-team/llms.txt Displays detailed information about a specific attack technique, including its description, warm-up, and detonation behavior. Requires the technique ID. ```bash # Display information about an attack technique stratus show aws.persistence.iam-backdoor-role ``` -------------------------------- ### Custom Logging Terraform Manager in Go Source: https://context7.com/datadog/stratus-red-team/llms.txt Wrap the default TerraformManager to add custom logging behavior before and after Terraform operations. This example shows how to intercept Initialize, TerraformInitAndApply, and TerraformDestroy methods. ```go package main import ( "log" "github.com/datadog/stratus-red-team/v2/pkg/stratus" _ "github.com/datadog/stratus-red-team/v2/pkg/stratus/loader" stratusrunner "github.com/datadog/stratus-red-team/v2/pkg/stratus/runner" ) // LoggingTerraformManager wraps the default TerraformManager type LoggingTerraformManager struct { inner stratusrunner.TerraformManager } func (m *LoggingTerraformManager) Initialize() { m.inner.Initialize() } func (m *LoggingTerraformManager) TerraformInitAndApply( directory string, variables map[string]string, ) (map[string]string, error) { log.Printf("[logging] terraform apply starting in %s", directory) outputs, err := m.inner.TerraformInitAndApply(directory, variables) if err != nil { log.Printf("[logging] terraform apply failed: %v", err) } else { log.Printf("[logging] terraform apply succeeded with %d outputs", len(outputs)) } return outputs, err } func (m *LoggingTerraformManager) TerraformDestroy( directory string, variables map[string]string, ) error { log.Printf("[logging] terraform destroy starting in %s", directory) err := m.inner.TerraformDestroy(directory, variables) if err != nil { log.Printf("[logging] terraform destroy failed: %v", err) } return err } func main() { ttp := stratus.GetRegistry().GetAttackTechniqueByName("aws.defense-evasion.cloudtrail-stop") // Build default TerraformManager and wrap it defaultTfManager := stratusrunner.NewTerraformManager("/tmp/stratus-terraform", "my-agent") loggingTfManager := &LoggingTerraformManager{inner: defaultTfManager} runner := stratusrunner.NewRunner( ttp, stratusrunner.StratusRunnerNoForce, stratusrunner.WithTerraformManager(loggingTfManager), ) runner.WarmUp() defer runner.CleanUp() runner.Detonate() } ``` -------------------------------- ### CloudTrail PutEventSelectors Log Example Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-event-selectors.md This JSON log entry shows a `PutEventSelectors` event from CloudTrail. Note that `includeManagementEvents` is set to `false`, effectively disabling management event logging for the specified trail. ```json [ { "awsRegion": "cn-northsouth-2r", "eventCategory": "Management", "eventID": "c2a89408-340a-42f0-8ace-75d9f5769393", "eventName": "PutEventSelectors", "eventSource": "cloudtrail.amazonaws.com", "eventTime": "2024-07-31T12:50:02Z", "eventType": "AwsApiCall", "eventVersion": "1.10", "managementEvent": true, "readOnly": false, "recipientAccountId": "958312252124", "requestID": "5176273c-0497-47e9-8f4c-840b62e7fc9a", "requestParameters": { "eventSelectors": [ { "dataResources": [ { "type": "AWS::S3::Object", "values": [] }, { "type": "AWS::Lambda::Function", "values": [] } ], "excludeManagementEventSources": [], "includeManagementEvents": false, "readWriteType": "ReadOnly" } ], "trailName": "stratus-red-team-ctes-trail-khlvciwdor" }, "responseElements": { "eventSelectors": [ { "dataResources": [ { "type": "AWS::S3::Object", "values": [] }, { "type": "AWS::Lambda::Function", "values": [] } ], "excludeManagementEventSources": [], "includeManagementEvents": false, "readWriteType": "ReadOnly" } ], "trailARN": "arn:aws:cloudtrail:cn-northsouth-2r:958312252124:trail/stratus-red-team-ctes-trail-khlvciwdor" }, "sourceIPAddress": "221.254.191.250", "tlsDetails": { "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "cloudtrail.cn-northsouth-2r.amazonaws.com", "tlsVersion": "TLSv1.3" }, "userAgent": "stratus-red-team_ce507fbd-078a-4e4c-975d-d80cb80df469", "userIdentity": { "accessKeyId": "AKIA2I0BSXU5LNRWIN0K", "accountId": "958312252124", "arn": "arn:aws:iam::958312252124:user/christophe", "principalId": "AIDA3JXGLTFY4HTLVVO7", "type": "IAMUser", "userName": "christophe" } } ] ``` -------------------------------- ### Build and Detonate Attack Technique Source: https://github.com/datadog/stratus-red-team/blob/main/docs/contributing.md Commands to build Stratus Red Team locally, warm up an attack technique, detonate it to generate CloudTrail logs, and clean up afterwards. Ensure Grimoire is installed and configured. ```bash # Build your local Stratus Red Team version make # Generate cloud audit logs ./bin/stratus warmup your-attack grimoire shell --command 'export STRATUS_RED_TEAM_DETONATION_ID=$GRIMOIRE_DETONATION_ID; ./bin/stratus detonate your-attack' -o /tmp/your-attack.json # Press Ctrl+C once you see the expected events ./bin/stratus cleanup your-attack ``` -------------------------------- ### List Attack Techniques with Stratus CLI Source: https://context7.com/datadog/stratus-red-team/llms.txt Lists all available attack techniques. Use filters like --platform and --mitre-attack-tactic to narrow down the results. ```bash # List all available attack techniques stratus list ``` ```bash # List AWS-specific attack techniques stratus list --platform aws ``` ```bash # List persistence techniques for AWS stratus list --platform aws --mitre-attack-tactic persistence ``` -------------------------------- ### Detonate GCP Project Removal Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/GCP/gcp.defense-evasion.remove-project-from-organization.md Use this command to execute the Stratus Red Team detonation for removing a GCP project from its organization. Ensure you have the Stratus Red Team CLI installed and configured for GCP. ```bash stratus detonate gcp.defense-evasion.remove-project-from-organization ``` -------------------------------- ### Sample CloudTrail StartSession Event Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/AWS/aws.execution.ssm-start-session.md This is a sample CloudTrail event for the StartSession API call. It shows the source, event name, request parameters, and response elements. ```json { "eventSource": "ssm.amazonaws.com", "eventName": "StartSession", "requestParameters": { "target": "i-123456" }, "responseElements": { "sessionId": "...", "tokenValue": "Value hidden due to security reasons.", "streamUrl": "wss://ssmmessages.eu-west-1.amazonaws.com/v1/data-channel/..." }, } ``` -------------------------------- ### List Current State of Attack Techniques Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/commands/status.md Use this command to view the status of all available attack techniques. The status indicates whether a technique is ready to be used (COLD), has been recently used and is in a cooldown period (WARM), or has been successfully executed (DETONATED). ```bash stratus status ``` -------------------------------- ### Detonate IAM Backdoor Role with Stratus Red Team Source: https://github.com/datadog/stratus-red-team/blob/main/docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md Execute the IAM backdoor role technique using the Stratus Red Team CLI. Ensure Stratus Red Team is installed and configured for AWS. ```bash stratus detonate aws.persistence.iam-backdoor-role ``` -------------------------------- ### Show Attack Technique Details Source: https://github.com/datadog/stratus-red-team/blob/main/docs/user-guide/examples.md Retrieve detailed information about a specific attack technique, including its warm-up and detonation phases. This helps understand the technique's execution flow. ```bash $ stratus show aws.persistence.iam-backdoor-role Establishes persistence by backdooring an existing IAM role, allowing it to be assumed from an external AWS account. Warm-up: Creates the prerequisite IAM role. Detonation: Updates the assume role policy of the IAM role to backdoor it. ```