- Mac OS:
Linux / Windows / macOS: Download a pre-built binary.
An attack technique is a granular TTP that has prerequisites infrastructure or configuration. You can see the list of attack techniques supported by Stratus Red Team here.
Warming up an attack technique means making sure its prerequisites are met, without detonating it. Warm-up is a preparation phase, before executing the actual attack. Behind the scenes, Stratus Red Team transparently uses Terraform1 to spin up and tear down the prerequisites of each attack technique.
Detonating an attack technique means executing it against a live environment, for instance against a test AWS account.
Reverting an attack technique means "cancelling" its detonation, when it had a side effect.
Cleaning up an attack technique means nuking all its prerequisites and making sure no resource is left in your environment.
An attack technique is idempotent if it can be detonated multiple times without reverting it.
Let's take an example with the attack technique Exfiltrate EBS Snapshot through Snapshot Sharing.
- Warm-up: Create an EBS volume and a snapshot of it
- Detonation: Share the EBS snapshot with an external AWS account
- Revert: Unshare the EBS snapshot with the external AWS account
- Clean-up: Remove the EBS volume and its snapshot
The diagram below illustrates the different states in which an attack technique can be.
Stratus Red Team is a self-contained Go binary, embedding all the attack techniques it supports emulating.
You can list available attack techniques using:
Detonating a specific attack technique is as simple as running:
You will get an output similar to:
2022/01/18 22:32:11 Checking your authentication against the AWS API 2022/01/18 22:32:12 Warming up aws.exfiltration.ec2-share-ebs-snapshot 2022/01/18 22:32:12 Initializing Terraform 2022/01/18 22:32:19 Applying Terraform 2022/01/18 22:32:43 Sharing the volume snapshot with an external AWS account ID...
You can then clean up any leftovers from the technique, which in this case will remove the EBS volume and EBS snapshot:
Connecting to your cloud account
Stratus Red Team currently supports AWS and Kubernetes.
Stratus Red Team is supposed to be used against a sandbox cloud account that does not handle production workloads or infrastructure.
In order to use Stratus attack techniques against AWS, you need to be authenticated prior to running it, for instance:
Using static credentials in
~/.aws/config, and setting your desired AWS profile using
Stratus Red Team does not create a Kubernetes cluster for you. Instead, it assumes you're already authenticated against a test Kubernetes cluster with kubectl and uses your default context.
As a rule of thumb, Stratus Red Team detonates attack techniques against the cluster you see when running
Tested with Minikube and AWS EKS.
While Stratus Red Team uses Terraform under the hood, it doesn't mess with your current Terraform install nor does it require you to install Terraform as a prerequisite. Stratus Red Team will download its own Terraform binary in