MITRE ATT&CK Coverage by Platform

This provides coverage matrices of MITRE ATT&CK tactics and techniques currently covered by Stratus Red Team for different cloud platforms.

AWS

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Exfiltration	Impact
Console Login without MFA	Launch Unusual EC2 instances	Backdoor an IAM Role	Execute Commands on EC2 Instance via User Data	Delete CloudTrail Trail	Retrieve EC2 Password Data	Execute Discovery Commands on an EC2 Instance	Usage of EC2 Serial Console to push SSH public key	Open Ingress Port 22 on a Security Group	Invoke Bedrock Model
	Execute Commands on EC2 Instance via User Data	Create an Access Key on an IAM User	Execute Commands on SageMaker Notebook Instance via Lifecycle Configuration	Disable CloudTrail Logging Through Event Selectors	Steal EC2 Instance Credentials	Download EC2 Instance User Data	Usage of EC2 Instance Connect on multiple instances	Exfiltrate an AMI by Sharing It	S3 Ransomware through batch file deletion
	Execute Commands on SageMaker Notebook Instance via Lifecycle Configuration	Create an administrative IAM User	Create an Access Key on an IAM User	CloudTrail Logs Impairment Through S3 Lifecycle Rule	Retrieve a High Number of Secrets Manager secrets (Batch)	Enumerate SES		Exfiltrate EBS Snapshot by Sharing It	S3 Ransomware through client-side encryption
	Usage of ssm:SendCommand on multiple instances	Create a backdoored IAM Role	Create an administrative IAM User	Stop CloudTrail Trail	Retrieve a High Number of Secrets Manager secrets			Exfiltrate RDS Snapshot by Sharing	S3 Ransomware through individual file deletion
	Usage of ssm:StartSession on multiple instances	Create a Login Profile on an IAM User	Create a Login Profile on an IAM User	Delete DNS query logs	Retrieve And Decrypt SSM Parameters			Backdoor an S3 Bucket via its Bucket Policy
		Backdoor Lambda Function Through Resource-Based Policy	Add a Malicious Lambda Extension	Attempt to Leave the AWS Organization
		Add a Malicious Lambda Extension	Create an IAM Roles Anywhere trust anchor	Remove VPC Flow Logs
		Overwrite Lambda Function Code	Change IAM user password
		Create an IAM Roles Anywhere trust anchor
		Generate temporary AWS credentials using GetFederationToken

Azure

Execution	Persistence	Exfiltration
Execute Command on Virtual Machine using Custom Script Extension	Create Azure VM Bastion shareable link	Export Disk Through SAS URL
Execute Commands on Virtual Machine using Run Command

GCP

Persistence	Privilege Escalation	Credential Access	Exfiltration
Backdoor a GCP Service Account through its IAM Policy	Create an Admin GCP Service Account	Retrieve a High Number of Secret Manager secrets	Exfiltrate Compute Disk by sharing it
Create an Admin GCP Service Account	Create a GCP Service Account Key		Exfiltrate Compute Image by sharing it
Create a GCP Service Account Key	Impersonate GCP Service Accounts		Exfiltrate Compute Disk by sharing a snapshot
Invite an External User to a GCP Project

Kubernetes

Persistence	Privilege Escalation	Credential Access
Create Admin ClusterRole	Create Admin ClusterRole	Dump All Secrets
Create Client Certificate Credential	Container breakout via hostPath volume mount	Steal Pod Service Account Token
Create Long-Lived Token	Privilege escalation through node/proxy permissions
	Run a Privileged Pod

Entra ID

Persistence	Privilege Escalation
Backdoor Entra ID application through service principal	Backdoor Entra ID application through service principal
Backdoor Entra ID application	Backdoor Entra ID application
Create Guest User	Create Application
Create Hidden Scoped Role Assignment Through HiddenMembership AU
Create Application
Create Sticky Backdoor User Through Restricted Management AU

EKS

Persistence	Privilege Escalation	Lateral Movement
Backdoor aws-auth EKS ConfigMap	Backdoor aws-auth EKS ConfigMap	Create Admin EKS Access Entry