If you're already familiar with Terraform, feel free to hop over to the to grab and deploy the code. Otherwise, stick around and we'll walk through it together!
Overview
In this lab, we'll explore a free tool from DataDog called . To keep things short, I'll just refer to it as "stratus" from here on out. Stratus enables us to simulate adversarial attacks against cloud environments like AWS using attack techniques aligned to . It's a useful tool for evaluating our defenses and ensuring the ability to detect these techniques. We'll take a look at how we can use GuardDuty to detect some of these threats although it will not be able to detect everything. This is why it's crucial to continuously be testing our detection ability.
Deployment
Cost Alert
AWS GuardDuty is a paid service. Enabling related protection plans and features has an additional cost.
Stratus Red Team deploys resources to your account, so depending on the attacks you choose to use, there may be additional costs.
# clone the AWS Security Cookbook repository
git clone https://github.com/Ty182/AWS-Security-Cookbook-by-Tyler
# navigate to AWS GuardDuty directory
cd AWS_Cookbook_by_Tyler/recipes/aws_guardduty/Lab:Deploying_AWS_GuardDuty_via_Terraform
# initialize the directory and download the required terraform providers
terraform init
# check formatting and validate the syntax is correct
terraform fmt && terraform validate
# check the resources that will be created
terraform plan
# deploy the resources
terraform apply
Validating Deployment
Make sure that your GuardDuty instance is functioning. You can run this command to check the presence of a detector. (Your detector id will be different)
Give this some time for the detection to show up. For me it took 17 minutes before the finding was available.
Clicking into this detection we can get some more info about the attack and the resources impacted.
Cleaning up the attack
stratus cleanup aws.defense-evasion.cloudtrail-stop --force
2025/04/07 22:38:48 Cleaning up aws.defense-evasion.cloudtrail-stop
2025/04/07 22:38:48 Cleaning up technique prerequisites with terraform destroy
+-------------------------------------+-----------------------+--------+
| ID | NAME | STATUS |
+-------------------------------------+-----------------------+--------+
| aws.defense-evasion.cloudtrail-stop | Stop CloudTrail Trail | COLD |
+-------------------------------------+-----------------------+--------+
S3 Ransomeware via Client-Side Encryption
Detonating the attack
stratus detonate aws.impact.s3-ransomware-client-side-encryption
2025/04/07 22:46:17 Checking your authentication against AWS
2025/04/07 22:46:19 Warming up aws.impact.s3-ransomware-client-side-encryption
2025/04/07 22:46:19 Initializing Terraform to spin up technique prerequisites
2025/04/07 22:46:24 Applying Terraform to spin up technique prerequisites
2025/04/07 22:46:36 S3 bucket stratus-red-team-ransomware-bucket-snqkxj containing 51 fake objects ready
2025/04/07 22:46:36 Simulating a ransomware attack on bucket stratus-red-team-ransomware-bucket-snqkxj
2025/04/07 22:46:40 Successfully downloaded all objects from the bucket
2025/04/07 22:46:40 Listing objects in bucket stratus-red-team-ransomware-bucket-snqkxj
2025/04/07 22:46:40 Found 51 objects to encrypt
2025/04/07 22:46:40 Encrypting all objects one by one with the secret AES256 encryption key '427fc7323cfb4b58f630789d372476fb'
2025/04/07 22:46:45 Successfully encrypted all objects in the bucket
2025/04/07 22:46:45 Uploading fake ransom note
Detecting the attack
Give this some time for the detection to show up. For me it took nearly an hour before the finding was available.
Clicking into this detection we can get some more info about the attack and the resources impacted.
Cleaning up the attack
stratus cleanup aws.impact.s3-ransomware-client-side-encryption --all --force
2025/04/07 22:50:16 Cleaning up aws.impact.s3-ransomware-client-side-encryption
2025/04/07 22:50:16 Reverting detonation of technique aws.impact.s3-ransomware-client-side-encryption
2025/04/07 22:50:16 Decrypting all files in the bucket
2025/04/07 22:50:16 Listing objects in bucket stratus-red-team-ransomware-bucket-snqkxj
2025/04/07 22:50:17 Found 52 objects to encrypt
2025/04/07 22:50:17 Decrypting all objects one by one with the secret AES256 encryption key '427fc7323cfb4b58f630789d372476fb'
2025/04/07 22:50:29 Successfully encrypted all objects in the bucket
2025/04/07 22:50:29 Cleaning up technique prerequisites with terraform destroy
+-------------------------------------------------+----------------------------------------------+--------+
| ID | NAME | STATUS |
+-------------------------------------------------+----------------------------------------------+--------+
| aws.impact.s3-ransomware-client-side-encryption | S3 Ransomware through client-side encryption | COLD |
+-------------------------------------------------+----------------------------------------------+--------+
Backdoor an IAM User
AWS GuardDuty will not detect this technique unless it can be correlated with other anomalous/suspicious activity. Stratus creates an IAM Access Key for an IAM User which is a technique adversaries might use to maintain access in an environment. IAM Users can have up to 2 access keys.
Detonating the attack
stratus detonate aws.persistence.iam-backdoor-user
2025/04/07 22:16:11 Checking your authentication against AWS
2025/04/07 22:16:13 Warming up aws.persistence.iam-backdoor-user
2025/04/07 22:16:13 Initializing Terraform to spin up technique prerequisites
2025/04/07 22:16:19 Applying Terraform to spin up technique prerequisites
2025/04/07 22:16:24 IAM user stratus-red-team-backdoor-u-user ready
2025/04/07 22:16:24 Creating access key on legit IAM user to simulate backdoor
2025/04/07 22:16:24 Successfully created access key AKIA[SNIP]
As mentioned, GuardDuty doesn't pick up on this particular action unless the access key is later used for malicious/anomalous activity which can be picked up by other GuardDuty findings types. However, we can rely on CloudTrail logs to discover the activity (and the same can be done for the other attacks).
If there isn't a CloudTrail lab by the time you're reading this, I'll have one in the future.
The CloudTrail event name is called CreateAccessKey and the raw log can be seen below.
stratus cleanup aws.persistence.iam-backdoor-user --all --force
2025/04/07 23:28:18 Cleaning up aws.persistence.iam-backdoor-user
2025/04/07 23:28:18 Cleaning up technique prerequisites with terraform destroy
+-----------------------------------+-------------------------------------+--------+
| ID | NAME | STATUS |
+-----------------------------------+-------------------------------------+--------+
| aws.persistence.iam-backdoor-user | Create an Access Key on an IAM User | COLD |
+-----------------------------------+-------------------------------------+--------+
Cleanup
Clean up the resources
Avoid unnecessary costs by deleting the created resources (your GuardDuty deployment)
terraform destroy
This should delete all resources created by Stratus
The official GitHub repo for stratus provides . I'll be using Homebrew to install like so,
Stratus provides nice documentation so I won't duplicate here. Check out the or view all the to dive deeper.
AWS GuardDuty is able to detect when CloudTrail logging gets disabled via without enabling additional protection plans. Stratus can be used to test the detection. It works by creating a new CloudTrail trail and then stopping the trail.
AWS GuardDuty detected this S3 ransomware attack via which requires the S3 Protection Plan. Stratus can be used to test the detection. It works by creating an S3 bucket with objects and then re-encrypting them with an external KMS key thereby mimicking a ransomware attack.
