Panther-enhanced fork of Stratus Red Team

Stratus Red Team is an open-source adversary emulation tool that lets you validate the security of your cloud environments by replicating offensive attack techniques in a granular and self-contained manner. It can be thought of as Atomic Red Team™ for the cloud.

This repository is a Panther-enhanced fork of Stratus Red Team that adds end-to-end integration testing for detection engineering. Instead of using fabricated test cases that may not match production logs, you can use this fork to generate authentic log data, allowing for better attack simulation and detection validation.

Why perform end-to-end testing?

Traditional detection testing uses theoretical log samples that may differ from real-world patterns. This approach:

• Generates authentic logs from actual attack simulations
• Tests the complete pipeline from log collection to alerting
• Enables test-driven detection development with real attack patterns
• Provides confidence that idle detection rules will work when attacks occur

Panther enhancements

Custom prefix support

Use --prefix to avoid "stratus-red-team" detection by AI systems:

stratus detonate aws.persistence.iam-create-admin-user --prefix "security-test"

Additional attack techniques

Enhanced AI/Bedrock security testing:

• aws.defense-evasion.bedrock-guardrail-delete - Delete AI safety guardrails
• aws.defense-evasion.bedrock-model-invocation-logging-delete - Disrupt AI activity monitoring
• aws.impact.bedrock-converse-guardrail-trigger - Test guardrail limits via Converse API
• aws.impact.bedrock-invoke-model-guardrail-trigger - Test guardrail limits via InvokeModel API
• aws.persistence.iam-create-admin-user - Customized to print access key ID
• gcp.privilege-escalation.tag-based-privilege-escalation - Escalate GCP compute privileges via conditional access tags

Detection Workflow

1. Run attack simulations to generate authentic logs
2. Export CloudTrail/application logs
3. Create test fixtures using the logs you exported
4. Write detections
5. Re-run attack simulations to validate your pipeline end-to-end

Related projects and talks

Grimoire

Panther also has a fork of Grimoire, which you can use for end-to-end detection testing automation

Talks

• Incorporating End to End Integration Testing into your Detection Engineering Workflow - Open Cloud Security Conference (short version)
• Incorporating End to End Integration Testing into your Detection Engineering Workflow - BSides Boulder (full version) - link TBD

Read the announcement blog posts:

• https://www.datadoghq.com/blog/cyber-attack-simulation-with-stratus-red-team/
• https://blog.christophetd.fr/introducing-stratus-red-team-an-adversary-emulation-tool-for-the-cloud/

Getting Started

Stratus Red Team is a self-contained Go binary.

See the documentation at stratus-red-team.cloud:

• Stratus Red Team Concepts

• Installing Stratus Red Team - Homebrew formula, Docker image and pre-built binaries available

• Available Attack Techniques, mapped to MITRE ATT&CK

Installation

Direct install

Requires Go 1.22+

go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest

Homebrew

brew tap datadog/stratus-red-team https://github.com/DataDog/stratus-red-team
brew install datadog/stratus-red-team/stratus-red-team

Pre-build binaries

For Linux / Windows / Mac OS: download one of the pre-built binaries.

Docker

IMAGE="ghcr.io/datadog/stratus-red-team"
alias stratus="docker run --rm -v $HOME/.stratus-red-team/:/root/.stratus-red-team/ -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_DEFAULT_REGION $IMAGE"

asdf

You can install specific versions (or latest) of stratus-red-team using asdf and this stratus-red-team plugin:

asdf plugin add stratus-red-team https://github.com/asdf-community/asdf-stratus-red-team.git
asdf install stratus-red-team latest

Community

The following section lists posts and projects from the community leveraging Stratus Red Team.

Open-source projects:

• Threatest
• AWS Threat Detection with Stratus Red Team

Videos:

• Reproducing common attacks in the cloud with Stratus Red Team
• Stratus Red Team: AWS EC2 Instance Credential Theft | Threat SnapShot
• Automated Attack Simulation in AWS for Red Teaming

Blog posts:

• AWS threat emulation and detection validation with Stratus Red Team and Datadog Cloud SIEM
• Adversary emulation on AWS with Stratus Red Team and Wazuh
• Sky’s the Limit: Stratus Red Team for Azure
• Detecting realistic AWS cloud-attacks using Azure Sentinel
• A Data Driven Comparison of Open Source Adversary Emulation Tools
• Making Security Relevant in the Cloud
• Detonating attacks with Datadog Stratus Red Team
• AWS CloudTrail cheatsheet
• Adversary emulation on GCP with Stratus Red Team and Wazuh
• Automated First-Response in AWS using Sigma and Athena
• AWS Cloud Detection Lab: Cloud Pen-testing with Stratus Red Team

Talks:

• Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team, DEF CON Cloud Village 2022 (recorded after the event as the talks were not recorded)
• Threat-Driven Development with Stratus Red Team by Ryan Marcotte Cobb
• Cloudy With a Chance of Purple Rain: Leveraging Stratus Red Team - BSides Portland 2022

Papers:

• A Purple Team Approach to Attack Automation in the Cloud Native Environment

Using Stratus Red Team as a Go Library

See Examples and Programmatic Usage.

Development

Building Locally

make
./bin/stratus --help

Running Locally

go run cmd/stratus/*.go list

Running the Tests

make test

Building the Documentation

For local usage:

pip install mkdocs-material mkdocs-awesome-pages-plugin

make docs
mkdocs serve

Acknowledgments

Maintainer: @christophetd

Similar projects (see how Stratus Red Team compares):

• Atomic Red Team by Red Canary
• Leonidas by F-Secure
• pacu by Rhino Security Labs
• Amazon GuardDuty Tester
• CloudGoat by Rhino Security Labs

Inspiration and relevant resources:

• https://expel.io/blog/mind-map-for-aws-investigations/
• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
• https://github.com/elastic/detection-rules/tree/main/rules/integrations/aws