For attack techniques that have a revert function in Stratus Red Team, this function is called before cleaning up: https://github.com/DataDog/stratus-red-team/blob/main/v2/pkg/stratus/runner/runner.go#L182-L192
This causes these logs to have the same UA as the detonation and be included to the logs that Grimoire pulls.
Potential solutions:
- Modify Stratus Red Team to not call
revert on cleanup (would require making sure this works for every technique)
- Modify Stratus Red Team to use a slightly different UA when doing
revert (e.g. stratus-red-team_revert_UUID
For attack techniques that have a
revertfunction in Stratus Red Team, this function is called before cleaning up: https://github.com/DataDog/stratus-red-team/blob/main/v2/pkg/stratus/runner/runner.go#L182-L192This causes these logs to have the same UA as the detonation and be included to the logs that Grimoire pulls.
Potential solutions:
reverton cleanup (would require making sure this works for every technique)revert(e.g.stratus-red-team_revert_UUID