Threat-Simulation-and-Detection – Playing Around With Stratus Red Team (Cloud Attack Simulation Tool) And SumoLogic

AVvXsEiq9S 3mgpnZGdPiDBJm LNyeHqKIKzcobbEo5QmI5WpQ0HM47yXQBqxNGAiBGfeROdS0yiADMboRiS 8xY56M2wOn7ZsOg cM19dzUw0TL YXQajYfwFPLQvqN0 3ceIAh9UIWPtHaPENh35Ehv4xAHolQuCiZsLQlQQo09WeIVP2ivSoEuMfdbtJ =w640 h252

This repository is a documentation of my adventures with Stratus Red Team – a tool for adversary emulation for the cloud.

Stratus Red Team is “Atomic Red Team for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.

We run the attacks covered in the Stratus Red Team repository one by one on our AWS account. In order to monitor them, we will use CloudTrail and CloudWatch for logging and ingest these logs into SumoLogic for further analysis.

AVvXsEgHdj3sBysKTcEpKM2i8eRsDDRMRSnQvdtebpFobUXb0Wl5AeBzUUd d77fuwUfILClhaSs 4p fjPXDiovLlGqVZvwWMOpZ4AU5cz7WNpbY Z0tHVqGpq11GrBwRDSF5P7nQDDKd66AS2vQPC3dr GQ4I8r aJy2mJbHGNfO00GwZkiRDUYl5BguSa=w640 h282

Attack Description Link
aws.credential-access.ec2-get-password-data Retrieve EC2 Password Data Link
aws.credential-access.ec2-steal-instance-credentials Steal EC2 Instance Credentials Link
aws.credential-access.secretsmanager-retrieve-secrets Retrieve a High Number of Secrets Manager secrets Link
aws.credential-access.ssm-retrieve-securestring-parameters Retrieve And Decrypt SSM Parameters Link
aws.defense-evasion.cloudtrail-delete Delete CloudTrail Trail Link
aws.defense-evasion.cloudtrail-event-selectors Disable CloudTrail Logging Through Event Selectors Link
aws.defense-evasion.cloudtrail-lifecycle-rule CloudTrail Logs Impairment Through S3 Lifecycle Rule Link
aws.defense-evasion.cloudtrail-stop Stop CloudTrail Trail Link
aws.defense-evasion.organizations-leave Attempt to Leave the AWS Organization Link
aws.defense-evasion.vpc-remove-flow-logs Remove VPC Flow Logs Link
aws.discovery.ec2-enumerate-from-instance Execute Discovery Commands on an EC2 Instance Link
aws.discovery.ec2-download-user-data Download EC2 Instance User Data TBD
aws.exfiltration.ec2-security-group-open-port-22-ingress Open Ingress Port 22 on a Security Group Link
aws.exfiltration.ec2-share-ami Exfiltrate an AMI by Sharing It Link
aws.exfiltration.ec2-share-ebs-snapshot Exfiltrate EBS Snapshot by Sharing It Link
aws.exfiltration.rds-share-snapshot Exfiltrate RDS Snapshot by Sharing Link
aws.exfiltration.s3-backdoor-bucket-policy Backdoor an S3 Bucket via its Bucket Policy Link
aws.persistence.iam-backdoor-role Backdoor an IAM Role Link
aws.persistence.iam-backdoor-user Create an Access Key on an IAM User TBD
aws.persistence.iam-create-admin-user Create an administrative IAM User TBD
aws.persistence.iam-create-user-login-profile Create a Login Profile on an IAM User TBD
aws.persistence.lambda-backdoor-function Backdoor Lambda Function Through Resource-Based Policy TBD


  1. Awesome team at Datadog, Inc. for Stratus Red Team here
  2. Hacking the Cloud AWS
  3. Falcon Force team blog

News Credit

%d bloggers like this: