Light

datadog / stratus-red-team Goto Github PK

View Code? Open in Web Editor NEW

1.6K 32.0 190.0 2.77 MB

:cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud

Home Page: https://stratus-red-team.cloud

License: Apache License 2.0

Go 77.92% HCL 20.55% Makefile 0.35% Dockerfile 0.14% Smarty 0.37% Ruby 0.49% Shell 0.17%

aws adversary-emulation purple-team mitre-attack cloud-security cloud-native-security detection-engineering threat-detection security aws-security

stratus-red-team's Introduction

Stratus Red Team

Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.

Read the announcement blog posts:

Getting Started

Stratus Red Team is a self-contained Go binary.

See the documentation at stratus-red-team.cloud:

Stratus Red Team Concepts
Installing Stratus Red Team - Homebrew formula, Docker image and pre-built binaries available
Available Attack Techniques, mapped to MITRE ATT&CK

Installation

Direct install (requires Go 1.18+):

go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest

Homebrew:

brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team
brew install datadog/stratus-red-team/stratus-red-team

Linux / Windows / Mac OS: Download one of the pre-built binaries.
Docker:

IMAGE="ghcr.io/datadog/stratus-red-team"
alias stratus="docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-team/ -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_DEFAULT_REGION $IMAGE"

Community

The following section lists posts and projects from the community leveraging Stratus Red Team.

Open-source projects:

Videos:

Blog posts:

Talks:

Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team, DEF CON Cloud Village 2022 (recorded after the event as the talks were not recorded)
Threat-Driven Development with Stratus Red Team by Ryan Marcotte Cobb
Cloudy With a Chance of Purple Rain: Leveraging Stratus Red Team - BSides Portland 2022

Papers:

A Purple Team Approach to Attack Automation in the Cloud Native Environment

Using Stratus Red Team as a Go Library

See Examples and Programmatic Usage.

Development

Building Locally

make
./bin/stratus --help

Running Locally

go run cmd/stratus/*.go list

Running the Tests

make test

Building the Documentation

For local usage:

pip install mkdocs-material mkdocs-awesome-pages-plugin

make docs
mkdocs serve

Acknowledgments

Maintainer: @christophetd

Similar projects (see how Stratus Red Team compares):

Atomic Red Team by Red Canary
Leonidas by F-Secure
pacu by Rhino Security Labs
Amazon GuardDuty Tester
CloudGoat by Rhino Security Labs

Inspiration and relevant resources:

stratus-red-team's People

Contributors

Stargazers

Watchers

Forkers

bharadwajyas amarjitghuman sulaimanzai vektroi-d zprian waynekearns dev1nagy midnightslacker beerandgin sunnyneo jonz-secops superuser5 edevops09 whorahul gavz jonaskriks zha0 xee5ch sedhu12-05 fiberoptic100 ctfbuster smbowen mccormickt guptarohit suryatmodulus abdennebi-forks svalentino joker2013 justinforbes dev0x41 hehacks ddup1 affix lyrl jotaah123 blackhatethicalhacking 5m7x magnologan lolici123 ttmyst vishnuraju lawiet47 watch-dog-man watsonso wiredaem0n cutff mchaffe sec-fork 3as0n dtuncle edsaqw wyu0hop danymello timb-machine-mirrors araiaan netcode geliuz kingofthebeat gregiss pondim run0nceex shantanu561993 brandongdossantos leomatias juliendoutre andrewkrug 0xdeadbeefjerky rcobb-scwx l4r1k rafiq0007 oodog0126 sashka3076 djengineer n0n5m1l3 tommalvoriddle chaobingya marciopocebon kact929 0xsojalsec nanaao rileydakota max-power15 allan-ou alnash28-stash 5l1v3r1 ryan-detect-dot-dev tnv0 jitanderverma datawiz0 ahlfors skyn9ne raesene varunsh-coder nix-xin v4nyl roisec pandora-research niranajn006 michft bigbrobro

stratus-red-team's Issues

Add download badge

Shell autocompletion of attack technique IDs

Fix state machine transition in docs

Cold -> Detonate shouldn't be possible. Maybe show CMD paths (i.e. stratus detonate first warms up, then detonates)

Add note in docs about future platforms

Document permissions required to run Stratus Red Team, in sandbox account

Use goreleaser to push pre-built binaries to Github on every tag

Add more detailed explanation in attack techniques description

Typically, "backdoor s3 bucket" should contain the backdoored bucket policy in the description

Write down comparison with similar existing tools

https://github.com/FSecureLABS/leonidas
Atomic Red Team
fwd:cloudsec talk (full scenarios)

Parallelize actions when passing multiple attack techniques

Warm-up, clean-up, revert, detonate

Usage of ssm:StartSession on multiple instances

HomeBrew formula is one version behind

Add GitHub PR and issue template

PR template
Issue template

Docs enhancements before open-sourcing

Move the state machine diagram to an "advanced" section
Add "Motivation & problem statement" to homepage
Talk about the pyramid of pain in the philosophy section to state we focus on behavioral, not IoCs
Add CloudGoat to comparison

Usage of sts:GetFederationToken on multiple IAM users

Make repository public

Then, need to check:

Programmatic instructions (#5)
Installation instructions
Homebrew install instructions (#1)
Docker installation instructions

Add programmatic examples to Github + unit test

"Using as a CLI v.s. Using as a library"

document how to do your own

Add license of third-party components

Document design choices and inner workings

Add CONTRIBUTING documentation

Attack technique: Make an AMI public

Add coloring to statuses

Attack technique: Creation of a privileged EC2 instance profile

Fix CLI help on subcommands

Add note on running in sandbox account

Enable Github Pages

... once repo is public (#7)

Verify code signing requirements on Mac OS

Downloading the binary on Mac OS raises warnings on unsigned code. Check if it's the same on Homebrew

Attack technique: Stealing EC2 instance credentials from the metadata service

Add stratus cleanup --all command

Implement "revert" on TTPs

stratus revert should call the "revert" function of a TTP, when we want to detonate a TTP multiple times and cleanup is needed. For instance, attaching a policy to a user.

Document aws-vault --no-session flag

Add detection leads to attack techniques

As discussed with @xen0ldog, we'll include some detection ideas and leads but no precise detection logic

Automatically generate docs

Will need the repo to be made public before, #6

Support GCP attack techniques

Discussion detection in the FAQ

Create naming convention for resources created by Stratus Red Team

Usage of ec2instanceconnect:SendSSHKey on multiple instances

Add idempotency concept to TTPs and runner

Support Kubernetes attack techniques

Remove MITRE ATT&CK mapping in the technique names

Create backlog of future attack techniques

Privesc techniques
sts:GetFederationToken
SSM-SendCommand / SSM-StartSession
EC2InstanceConnect-SendSSHKey

Create homebrew formula

Create homebrew formula code
Update the docs to make sure it is up to date
Update the README

Write commands reference

Write documentation on programmatic usage

Generate and make available godoc for programmatic usage

Allow adding arbitrary tags on attack techniques for filtering

Implementation:

Add Tags to the AttackTechnique structure (array of strings)
Add a --tags parameter in the CLI command list
Show the tags in the docs

Sample tags we'd want: ec2, s3, ...

Ensure all TTPs are displaying the name of the resources they create

At least aws.persistence.backdoor-iam-role is missing it (role name)

Add guardduty-tester to the comparison of similar tools

See also #19

https://github.com/awslabs/amazon-guardduty-tester/blob/master/guardduty_tester.sh

Support Azure attack techniques

Attack technique: Attempt to leave the organization

(access denied)

Add a way to mark a technique as "slow"

... or a more generic "tag system" displaying a badge next to the attack technique name:

Slow
Fast
Expensive
Sighted in real attacks

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.