AWS Cloud Detection Lab 1️⃣🪢🖇️: Cloud Pen-testing with Stratus Red Team tool
Advanced Persistent Threat (APT) actors are known for their sophisticated and continuous cyber-attacks targeting specific organizations, often intending to steal data or disrupt operations. In cloud environments, APT actors exploit various vulnerabilities, from misconfigured services to weak authentication mechanisms, to gain prolonged and stealthy access to valuable resources.
The Stratus Red Team tool by DataDog is designed to counter cyber threats by simulating real-world attacks on cloud platforms such as AWS, Azure, Kubernetes, and GCP. This open-source platform mimics a variety of attacks such as privilege escalation, lateral movement, and data exfiltration, allowing organizations to comprehensively test their defenses and validate their detection mechanisms.
This blog post covers the concept of the Stratus Red Team, its setup within AWS, and how cyber-defenders can utilize this tool to better understand and combat real-world adversaries.
Key concepts of Stratus Red Team
Stratus Red Team by Datadog is a collection of cloud-native attacks written in the Go programming language. It contains various red team automated attacks for AWS, Azure, Kubernetes, and GCP. All the attacks are mapped with MITRE ATT&CK tactics and executed via CLI.
The Stratus Red Team tool has four core states in which an attack technique exists. In each state, Stratus Red Team behind the scenes uses Terra-form to spin up and tear down the requirements of each attack technique. The states are detailed as follows:
- Warming upstate is the preliminary phase for the attack technique, ensuring all conditions are met without detonating it. Initially, all attacks are in a cold state.
- Detonating state means that an attack technique is executed in a live environment, such as a sandbox test AWS account.
- Reverting state means that an attack technique in the detonation state is stopped or canceled after it causes a side effect.
- Cleaning up state means removing all created infrastructure resources and ensuring that none remain in the AWS environment. This sets the infrastructure in a cold state.
Configuring AWS IAM User Access Credentials for Simulation with Stratus Red Team
The Stratus Red Team tool simulates sophisticated Advanced Persistent Threat (APT) attack techniques that mimic real-world adversaries. The workflow below demonstrates how this adversary simulation tool conducts automated attacks against an AWS sandbox account, thereby replicating the tactics of potential adversaries.
The simulated attack activities on an AWS sandbox account are logged by the Amazon CloudTrail service. This service records all API calls and events, generating logs that are essential for security assessments, identifying potential security gaps, and improving governance, compliance, operational auditing, and risk auditing.
Stay tuned for the next blog on “AWS Cloud Detection Lab II: Emulation of APT attacks with Stratus Red Team tool”
🕵️♂️Setting Up Stratus Red Team with an AWS IAM user account!!🔗💨🚨
Create an IAM user with Access Key Credentials from the AWS Console
- Navigate to the AWS console search box at the top and search for IAM.
- Navigate to the IAM Page and click on “Create user”
- On the Create User page, enter IAM user details ( In this lab, Huge-log-attack-simulation) and click Next.
- On the Set permissions page, select Attach policies directly then search from the search box, and select AdministorAccess policy name. Then, click the Next button.
- Review the details and click on the button Create User
The IAM user “Huge-log-attack-simulation” is successfully created.
Create Programmatic Access key Creds For IAM User
- Click on the IAM user “Huge-log-attack-simulation”
- On the IAM user Page, click on the “Security Credentials” Tab.
- Under the Security credentials Tab, scroll down to the Access keys Section and click on the button “Create access key”.
- On the Create Access key Page, Select “Command Line Interface (CLI)” and check the confirmation box “I understand the above recommendation and want to proceed to create an access key.” Then, click Next.
- On Set description tag (Optional) or enter “Huge-log-attack-simulation access key”. Then click on the Create Access key button.
- Access Key is successfully created. Click Download .csv file to save the access keys on your local PC.
Download and Install AWS CLIv2 on Linux
Check here for guide on installing on other OS like MacOs and Windows
- Run the command to install AWS CLI on Linux
if [ -f /etc/lsb-release ]; then sudo apt-get update -y && sudo apt-get install -y unzip; elif [ -f /etc/centos-release ]; then sudo yum update -y && sudo yum install -y unzip; else echo "Unsupported OS. Can't install unzip."; fi
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
- Run the command to check the version aws — — version
AWS CLI profile and Stratus tool set-up on Linux
- Run the command below and use the IAM user (Huge-log-attack-simulation) Access keys created in previous steps to set up on AWS CLI.
In this blog, the profile name used is “huge-simu-attack” (The name can be replaced with anything)
$aws configure --profile huge-simu-attack
- Run the command to check if the profile is successfully created
$aws sts get-caller-identity --profile huge-simu-attack
Installing Stratus
Check Here for Latest release for Linux
- Run the command to download and extract the stratus tool from GitHub
wget https://github.com/DataDog/stratus-red-team/releases/download/v2.14.0/stratus-red-team_Linux_x86_64.tar.gz
tar xvf stratus-red-team_Linux_x86_64.tar.gz 
- Desktop View of the stratus tool after downloading it.
- Run the command to move the Stratus Red Team Executable to a PATH Directory.
$sudo mv stratus /usr/local/bin/
- Run the command stratus version to confirm the version of the stratus tool.
Connecting Stratus Red Team tool with the IAM User account🪗🕵️♂️
- Run the command to link your AWS Credentials with the Stratus tool (Export your profile and region as environment variables for Stratus)
-----------------------------------------------------------------
export AWS_PROFILE=<AWS_PROFILE_NAME>
export AWS_REGION=<AWS_REGION>
Replace <AWS_REGION> with your AWS region and <AWS_PROFILE_NAME> with your current profile.
-------------------------------------------------------------------
# In this blog run this !! Change the profile and Region
export AWS_PROFILE=huge-simu-attack
export AWS_REGION=eu-west-1
Stratus Attack Simulation🧪🚀
For AWS alone, Stratus consists of over 37 attack techniques that can be used to perform attack emulation, covering various MITRE ATT&CK Tactics such as Credential Access, Defense Evasion, Discovery, Execution, Privilege Escalation, Ex-filtration, and Impact as shown in the image below.
Stratus Red Team Commands🧬⚖️
The following consists of Stratus commands that are used to execute various attack techniques in a targeted cloud environment, simulating real-world scenarios.
- Stratus List ↔️ Usage: Run the commands below to view the list of techniques for AWS.
#List all available attack techniques
$stratus list
#List available attack techniques for AWS
$stratus list --platform aws
# List available attack techniques for the MITRE ATT&CK 'persistence' tactic
$stratus list --platform aws --mitre-attack-tactic persistence
- Stratus Status ↔️ Usage: Run the command to list the current state of available attack techniques.
For example: When attack techniques are executed, security can run the command below to view the status of the techniques. (Check: Key concepts of Stratus Red Team)
$stratus status
- Stratus Show ↔️ Usage: Run the command below to display more information about an attack technique.
For example: The attack technique “Steal EC2 Instance Credentials” when executed simulates the theft of EC2 instance credentials from the Instance Metadata Service.
$stratus show aws.credential-access.ec2-steal-instance-credentials
- Stratus Warmup ↔️ Usage: Run the command below to spin up the prerequisite infrastructure or configuration, without detonating the attack technique.
For example, the Steal EC2 Instance Credentials attack technique first sets up the necessary infrastructure, like an EC2 instance and a VPC, before it carries out the attack to steal credentials from the Instance Metadata Service.
# Warm up an attack technique
$stratus warmup aws.credential-access.ec2-steal-instance-credentials
# Warm up multiple attack techniques
$stratus warmup aws.credential-access.ec2-steal-instance-credentials.s3-backdoor-bucket-policy
# (advanced) Warm up again an attack technique that was already WARM, to ensure its prerequisites are met
$stratus warmup aws.credential-access.ec2-steal-instance-credentials --force
- Stratus Detonate ↔️ Usage: Run the command below to detonate an attack technique.
The “Detonate” state executes an attack technique. If the technique was previously warmed up using stratus warm-up, it will not be warmed up again. Otherwise, stratus detonate will automatically warm up the technique before detonating it.
# Detonate an attack technique
$stratus detonate aws.credential-access.ec2-steal-instance-credentials
# Detonate multiple attack techniques
$stratus detonate aws.credential-access.ec2-steal-instance-credentials aws.defense-evasion.cloudtrail-stop
# Detonate an attack technique, then automatically clean up any resources deployed on AWS
$stratus detonate aws.credential-access.ec2-steal-instance-credentials --cleanup
- Stratus Revert ↔️ Usage: Run the command below to Revert an attack technique.
The “Revert” state is used for attack techniques that are not idempotent, meaning that it can’t be detonated multiple times because of its side effects. For instance, Stop a CloudTrail Trail stops a CloudTrail Trail when detonated. Consequently, it cannot be detonated again (as the Trail has already stopped).
# Revert an attack technique
$stratus revert aws.defense-evasion.cloudtrail-stop
- Stratus Cleanup ↔️ Usage: Run the command below to clean up the attack technique in a live cloud environment.
# Clean up an attack technique
$stratus cleanup aws.defense-evasion.cloudtrail-stop
# Clean up all attack techniques that can be cleaned up
$stratus cleanup --all
Stratus Revert Vs Stratus Cleanup
✍️Conclusion
As Advanced Persistent Threat (APT) actors continue to evolve, becoming more sophisticated in their TTPs, it is crucial for security teams to not only conduct regular security assessments but also continuously update and refine their defense strategies and detection rules to improve the security posture of their AWS accounts. This involves staying abreast of the latest threat intelligence, implementing advanced monitoring tools, and conducting routine penetration tests and red team exercises to identify and mitigate vulnerabilities before they can be exploited.
🚨 Next blog Alert 🚨
Stay tuned for a new blog on “AWS Cloud Detection Lab II: Emulation of APT attacks with Stratus Red Team tool”. The blog will cover how to use the Stratus Red Team tool to simulate different APT attack techniques, and how to use Amazon Athena’s SQL logic to analyze CloudTrail logs for signs of these APT activities. Additionally, we’ll explore how to map these simulated attacks to the MITRE ATT&CK Cloud Matrix, providing a comprehensive approach to both simulating and detecting cloud-based threats.
