Use consistent naming convention for all attack technique IDs

cmd/stratus/cleanup_cmd.go

@@ -16,7 +16,7 @@ func buildCleanupCmd() *cobra.Command {
 		Use:                   "cleanup [attack-technique-id]... | --all",
 		Aliases:               []string{"clean"},
 		Short:                 "Cleans up any leftover infrastructure or configuration from a TTP.",
-		Example:               "stratus cleanup aws.defense-evasion.stop-cloudtrail\nstratus cleanup --all",
+		Example:               "stratus cleanup aws.defense-evasion.cloudtrail-stop\nstratus cleanup --all",
 		DisableFlagsInUseLine: true,
 		Args: func(cmd *cobra.Command, args []string) error {
 			if len(args) == 0 && flagCleanupAll {

cmd/stratus/detonate_cmd.go

@@ -18,8 +18,8 @@ func buildDetonateCmd() *cobra.Command {
 		Use:   "detonate attack-technique-id [attack-technique-id]...",
 		Short: "Detonate one or multiple attack techniques",
 		Example: strings.Join([]string{
-			"stratus detonate aws.defense-evasion.stop-cloudtrail",
-			"stratus detonate aws.defense-evasion.stop-cloudtrail --cleanup",
+			"stratus detonate aws.defense-evasion.cloudtrail-stop",
+			"stratus detonate aws.defense-evasion.cloudtrail-stop --cleanup",
 		}, "\n"),
 		DisableFlagsInUseLine: true,
 		PreRunE: func(cmd *cobra.Command, args []string) error {

cmd/stratus/revert_cmd.go

@@ -15,7 +15,7 @@ func buildRevertCmd() *cobra.Command {
 	detonateCmd := &cobra.Command{
 		Use:                   "revert attack-technique-id [attack-technique-id]...",
 		Short:                 "Revert the detonation of an attack technique",
-		Example:               "stratus revert aws.defense-evasion.stop-cloudtrail",
+		Example:               "stratus revert aws.defense-evasion.cloudtrail-stop",
 		DisableFlagsInUseLine: true,
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) == 0 {

cmd/stratus/warmup_cmd.go

@@ -15,7 +15,7 @@ func buildWarmupCmd() *cobra.Command {
 	warmupCmd := &cobra.Command{
 		Use:                   "warmup attack-technique-id [attack-technique-id]...",
 		Short:                 "\"Warm up\" an attack technique by spinning up the prerequisite infrastructure or configuration, without detonating it",
-		Example:               "stratus warmup aws.defense-evasion.stop-cloudtrail",
+		Example:               "stratus warmup aws.defense-evasion.cloudtrail-stop",
 		DisableFlagsInUseLine: true,
 		PreRunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) == 0 {

docs/attack-techniques/AWS/aws.credential-access.ec2-steal-instance-credentials.md

@@ -0,0 +1,38 @@
+---
+title: Steal EC2 Instance Credentials
+---
+
+# Steal EC2 Instance Credentials
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span> 
+ <span class="smallcaps w3-badge w3-blue w3-round w3-text-white" title="This attack technique can be detonated multiple times">idempotent</span> 
+
+Platform: AWS
+
+## MITRE ATT&CK Tactics
+
+
+- Credential Access
+
+## Description
+
+
+Simulates the theft of EC2 instance credentials from the Instance Metadata Service.
+
+<span style="font-variant: small-caps;">Warm-up</span>:
+
+- Create the prerequisite EC2 instance and VPC (takes a few minutes).
+
+<span style="font-variant: small-caps;">Detonation</span>:
+
+- Execute a SSM command on the instance to retrieve temporary credentials
+- Use these credentials locally (outside the instance) to run the following commands:
+	- sts:GetCallerIdentity
+	- ec2:DescribeInstances
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate aws.credential-access.ec2-steal-instance-credentials
+```

docs/attack-techniques/AWS/aws.credential-access.retrieve-all-ssm-parameters.md → docs/attack-techniques/AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md

@@ -32,5 +32,5 @@ Retrieves and decrypts a high number (30) of SSM Parameters available in an AWS
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.credential-access.retrieve-all-ssm-parameters
+stratus detonate aws.credential-access.ssm-retrieve-securestring-parameters
 ```

docs/attack-techniques/AWS/aws.defense-evasion.delete-cloudtrail.md → docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-delete.md

@@ -31,5 +31,5 @@ Delete a CloudTrail trail. Simulates an attacker disrupting CloudTrail logging.
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.delete-cloudtrail
+stratus detonate aws.defense-evasion.cloudtrail-delete
 ```

docs/attack-techniques/AWS/aws.defense-evasion.stop-cloudtrail.md → docs/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop.md

@@ -31,5 +31,5 @@ Stops a CloudTrail Trail from logging. Simulates an attacker disrupting CloudTra
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.stop-cloudtrail
+stratus detonate aws.defense-evasion.cloudtrail-stop
 ```

docs/attack-techniques/AWS/aws.defense-evasion.leave-organization.md → docs/attack-techniques/AWS/aws.defense-evasion.organizations-leave.md

@@ -34,5 +34,5 @@ Leaving the organization can disrupt or totally shut down these controls.
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.leave-organization
+stratus detonate aws.defense-evasion.organizations-leave
 ```

docs/attack-techniques/AWS/aws.defense-evasion.remove-vpc-flow-logs.md → docs/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs.md

@@ -31,5 +31,5 @@ Removes a VPC Flog Logs configuration from a VPC.
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.defense-evasion.remove-vpc-flow-logs
+stratus detonate aws.defense-evasion.vpc-remove-flow-logs
 ```

docs/attack-techniques/AWS/aws.discovery.basic-enumeration-from-ec2-instance.md → docs/attack-techniques/AWS/aws.discovery.ec2-enumerate-from-instance.md

@@ -43,5 +43,5 @@ The commands will be run under the identity of the EC2 instance role, simulating
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.discovery.basic-enumeration-from-ec2-instance
+stratus detonate aws.discovery.ec2-enumerate-from-instance
 ```

docs/attack-techniques/AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md → docs/attack-techniques/AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md

@@ -31,5 +31,5 @@ Opens ingress traffic on port 22 from the Internet (0.0.0.0/0).
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.open-port-22-ingress-on-security-group
+stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress
 ```

docs/attack-techniques/AWS/aws.exfiltration.ami-sharing.md → docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ami.md

@@ -31,5 +31,5 @@ Exfiltrates an AMI by sharing it with an external AWS account.
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.ami-sharing
+stratus detonate aws.exfiltration.ec2-share-ami
 ```

docs/attack-techniques/AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md → docs/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot.md

@@ -31,5 +31,5 @@ Exfiltrates an EBS snapshot by sharing it with an external AWS account.
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.ebs-snapshot-shared-with-external-account
+stratus detonate aws.exfiltration.ec2-share-ebs-snapshot
 ```

docs/attack-techniques/AWS/aws.exfiltration.rds-snapshot-sharing.md → docs/attack-techniques/AWS/aws.exfiltration.rds-share-snapshot.md

@@ -32,5 +32,5 @@ Shares a RDS Snapshot with an external AWS account to simulate an attacker exfil
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.rds-snapshot-sharing
+stratus detonate aws.exfiltration.rds-share-snapshot
 ```

docs/attack-techniques/AWS/aws.exfiltration.backdoor-s3-bucket-policy.md → docs/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy.md

@@ -56,5 +56,5 @@ Exfiltrates data from an S3 bucket by backdooring its Bucket Policy to allow acc
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy
 ```

docs/attack-techniques/AWS/aws.persistence.backdoor-iam-role.md → docs/attack-techniques/AWS/aws.persistence.iam-backdoor-role.md

@@ -55,5 +55,5 @@ Establishes persistence by backdooring an existing IAM role, allowing it to be a
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.backdoor-iam-role
+stratus detonate aws.persistence.iam-backdoor-role
 ```

docs/attack-techniques/AWS/aws.persistence.backdoor-iam-user.md → docs/attack-techniques/AWS/aws.persistence.iam-backdoor-user.md

@@ -32,5 +32,5 @@ Establishes persistence by creating an access key on an existing IAM user.
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.backdoor-iam-user
+stratus detonate aws.persistence.iam-backdoor-user
 ```

docs/attack-techniques/AWS/aws.persistence.malicious-iam-user.md → docs/attack-techniques/AWS/aws.persistence.iam-create-admin-user.md

@@ -30,5 +30,5 @@ Establishes persistence by creating a new IAM user with administrative permissio
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.malicious-iam-user
+stratus detonate aws.persistence.iam-create-admin-user
 ```

docs/attack-techniques/AWS/aws.persistence.iam-user-create-login-profile.md → docs/attack-techniques/AWS/aws.persistence.iam-create-user-login-profile.md

@@ -33,5 +33,5 @@ user intended to be used programmatically through the AWS console usual login pr
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.iam-user-create-login-profile
+stratus detonate aws.persistence.iam-create-user-login-profile
 ```

docs/attack-techniques/AWS/aws.persistence.backdoor-lambda-function.md → docs/attack-techniques/AWS/aws.persistence.lambda-backdoor-function.md

@@ -31,5 +31,5 @@ Establishes persistence by backdooring a lambda function to allow its invocation
 ## Instructions
 
 ```bash title="Detonate with Stratus Red Team"
-stratus detonate aws.persistence.backdoor-lambda-function
+stratus detonate aws.persistence.lambda-backdoor-function
 ```

docs/attack-techniques/AWS/index.md

@@ -8,64 +8,64 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Retrieve EC2 Password Data](./aws.credential-access.ec2-get-password-data.md)
 
-- [Steal EC2 Instance Credentials](./aws.credential-access.ec2-instance-credentials.md)
+- [Steal EC2 Instance Credentials](./aws.credential-access.ec2-steal-instance-credentials.md)
 
 - [Retrieve a High Number of Secrets Manager secrets](./aws.credential-access.secretsmanager-retrieve-secrets.md)
 
-- [Retrieve And Decrypt SSM Parameters](./aws.credential-access.retrieve-all-ssm-parameters.md)
+- [Retrieve And Decrypt SSM Parameters](./aws.credential-access.ssm-retrieve-securestring-parameters.md)
 
 
 ## Defense Evasion
 
+- [Delete CloudTrail Trail](./aws.defense-evasion.cloudtrail-delete.md)
+
 - [Disable CloudTrail Logging Through Event Selectors](./aws.defense-evasion.cloudtrail-event-selectors.md)
 
 - [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./aws.defense-evasion.cloudtrail-lifecycle-rule.md)
 
-- [Delete CloudTrail Trail](./aws.defense-evasion.delete-cloudtrail.md)
-
-- [Stop CloudTrail Trail](./aws.defense-evasion.stop-cloudtrail.md)
+- [Stop CloudTrail Trail](./aws.defense-evasion.cloudtrail-stop.md)
 
-- [Attempt to Leave the AWS Organization](./aws.defense-evasion.leave-organization.md)
+- [Attempt to Leave the AWS Organization](./aws.defense-evasion.organizations-leave.md)
 
-- [Remove VPC Flow Logs](./aws.defense-evasion.remove-vpc-flow-logs.md)
+- [Remove VPC Flow Logs](./aws.defense-evasion.vpc-remove-flow-logs.md)
 
 
 ## Discovery
 
-- [Execute Discovery Commands on an EC2 Instance](./aws.discovery.basic-enumeration-from-ec2-instance.md)
+- [Execute Discovery Commands on an EC2 Instance](./aws.discovery.ec2-enumerate-from-instance.md)
 
 
 ## Exfiltration
 
-- [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ami-sharing.md)
+- [Open Ingress Port 22 on a Security Group](./aws.exfiltration.ec2-security-group-open-port-22-ingress.md)
 
-- [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ebs-snapshot-shared-with-external-account.md)
+- [Exfiltrate an AMI by Sharing It](./aws.exfiltration.ec2-share-ami.md)
 
-- [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-snapshot-sharing.md)
+- [Exfiltrate EBS Snapshot by Sharing It](./aws.exfiltration.ec2-share-ebs-snapshot.md)
 
-- [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.backdoor-s3-bucket-policy.md)
+- [Exfiltrate RDS Snapshot by Sharing](./aws.exfiltration.rds-share-snapshot.md)
 
-- [Open Ingress Port 22 on a Security Group](./aws.exfiltration.open-port-22-ingress-on-security-group.md)
+- [Backdoor an S3 Bucket via its Bucket Policy](./aws.exfiltration.s3-backdoor-bucket-policy.md)
 
 
 ## Persistence
 
-- [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.backdoor-lambda-function.md)
+- [Backdoor an IAM Role](./aws.persistence.iam-backdoor-role.md)
 
-- [Backdoor an IAM Role](./aws.persistence.backdoor-iam-role.md)
+- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md)
 
-- [Create an Access Key on an IAM User](./aws.persistence.backdoor-iam-user.md)
+- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md)
 
-- [Create a Login Profile on an IAM User](./aws.persistence.iam-user-create-login-profile.md)
+- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md)
 
-- [Create an administrative IAM User](./aws.persistence.malicious-iam-user.md)
+- [Backdoor Lambda Function Through Resource-Based Policy](./aws.persistence.lambda-backdoor-function.md)
 
 
 ## Privilege Escalation
 
-- [Create an Access Key on an IAM User](./aws.persistence.backdoor-iam-user.md)
+- [Create an Access Key on an IAM User](./aws.persistence.iam-backdoor-user.md)
 
-- [Create a Login Profile on an IAM User](./aws.persistence.iam-user-create-login-profile.md)
+- [Create an administrative IAM User](./aws.persistence.iam-create-admin-user.md)
 
-- [Create an administrative IAM User](./aws.persistence.malicious-iam-user.md)
+- [Create a Login Profile on an IAM User](./aws.persistence.iam-create-user-login-profile.md)
 

docs/attack-techniques/list.md

@@ -10,23 +10,23 @@ This page contains the list of all Stratus Attack Techniques.
 | Name   | Platform | MITRE ATT&CK Tactics |
 | :----: | :------: | :------------------: |
 | [Retrieve EC2 Password Data](./AWS/aws.credential-access.ec2-get-password-data.md) | [AWS](./AWS/index.md) | Credential Access |
-| [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Steal EC2 Instance Credentials](./AWS/aws.credential-access.ec2-steal-instance-credentials.md) | [AWS](./AWS/index.md) | Credential Access |
 | [Retrieve a High Number of Secrets Manager secrets](./AWS/aws.credential-access.secretsmanager-retrieve-secrets.md) | [AWS](./AWS/index.md) | Credential Access |
-| [Retrieve And Decrypt SSM Parameters](./AWS/aws.credential-access.retrieve-all-ssm-parameters.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Retrieve And Decrypt SSM Parameters](./AWS/aws.credential-access.ssm-retrieve-securestring-parameters.md) | [AWS](./AWS/index.md) | Credential Access |
+| [Delete CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-delete.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [Disable CloudTrail Logging Through Event Selectors](./AWS/aws.defense-evasion.cloudtrail-event-selectors.md) | [AWS](./AWS/index.md) | Defense Evasion |
 | [CloudTrail Logs Impairment Through S3 Lifecycle Rule](./AWS/aws.defense-evasion.cloudtrail-lifecycle-rule.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Delete CloudTrail Trail](./AWS/aws.defense-evasion.delete-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.stop-cloudtrail.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.leave-organization.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.remove-vpc-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
-| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.basic-enumeration-from-ec2-instance.md) | [AWS](./AWS/index.md) | Discovery |
-| [Exfiltrate an AMI by Sharing It](./AWS/aws.exfiltration.ami-sharing.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ebs-snapshot-shared-with-external-account.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-snapshot-sharing.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.backdoor-s3-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.open-port-22-ingress-on-security-group.md) | [AWS](./AWS/index.md) | Exfiltration |
-| [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.backdoor-lambda-function.md) | [AWS](./AWS/index.md) | Persistence |
-| [Backdoor an IAM Role](./AWS/aws.persistence.backdoor-iam-role.md) | [AWS](./AWS/index.md) | Persistence |
-| [Create an Access Key on an IAM User](./AWS/aws.persistence.backdoor-iam-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
-| [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-user-create-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
-| [Create an administrative IAM User](./AWS/aws.persistence.malicious-iam-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Stop CloudTrail Trail](./AWS/aws.defense-evasion.cloudtrail-stop.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Attempt to Leave the AWS Organization](./AWS/aws.defense-evasion.organizations-leave.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Remove VPC Flow Logs](./AWS/aws.defense-evasion.vpc-remove-flow-logs.md) | [AWS](./AWS/index.md) | Defense Evasion |
+| [Execute Discovery Commands on an EC2 Instance](./AWS/aws.discovery.ec2-enumerate-from-instance.md) | [AWS](./AWS/index.md) | Discovery |
+| [Open Ingress Port 22 on a Security Group](./AWS/aws.exfiltration.ec2-security-group-open-port-22-ingress.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Exfiltrate an AMI by Sharing It](./AWS/aws.exfiltration.ec2-share-ami.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Exfiltrate EBS Snapshot by Sharing It](./AWS/aws.exfiltration.ec2-share-ebs-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Exfiltrate RDS Snapshot by Sharing](./AWS/aws.exfiltration.rds-share-snapshot.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Backdoor an S3 Bucket via its Bucket Policy](./AWS/aws.exfiltration.s3-backdoor-bucket-policy.md) | [AWS](./AWS/index.md) | Exfiltration |
+| [Backdoor an IAM Role](./AWS/aws.persistence.iam-backdoor-role.md) | [AWS](./AWS/index.md) | Persistence |
+| [Create an Access Key on an IAM User](./AWS/aws.persistence.iam-backdoor-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Create an administrative IAM User](./AWS/aws.persistence.iam-create-admin-user.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Create a Login Profile on an IAM User](./AWS/aws.persistence.iam-create-user-login-profile.md) | [AWS](./AWS/index.md) | Persistence, Privilege Escalation |
+| [Backdoor Lambda Function Through Resource-Based Policy](./AWS/aws.persistence.lambda-backdoor-function.md) | [AWS](./AWS/index.md) | Persistence |

docs/index.md

@@ -21,7 +21,7 @@ Think of Stratus Red Team as "[Atomic Red Team](https://github.com/redcanaryco/a
 Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment.
 
 ```bash title="Sample usage - Stopping a CloudTrail Trail (Defense Evasion)"
-stratus detonate aws.defense-evasion.stop-cloudtrail
+stratus detonate aws.defense-evasion.cloudtrail-stop
 ```
 
 The attack techniques are mapped to [MITRE ATT&CK](https://attack.mitre.org/).

docs/user-guide/commands/cleanup.md

@@ -8,7 +8,7 @@ Cleans up any leftover infrastructure from an attack technique.
 ## Sample Usage
 
 ```bash title="Clean up an attack technique"
-stratus cleanup aws.defense-evasion.stop-cloudtrail
+stratus cleanup aws.defense-evasion.cloudtrail-stop
 ```
 
 ```bash title="Clean up all attack techniques that can be cleaned up"

docs/user-guide/commands/detonate.md

@@ -11,13 +11,13 @@ Detonates an attack technique.
 ## Sample Usage
 
 ```bash title="Detonate an attack technique"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy
 ```
 
 ```bash title="Detonate multiple attack techniques"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy aws.defense-evasion.stop-cloudtrail
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy aws.defense-evasion.cloudtrail-stop
 ```
 
 ```bash title="Detonate an attack technique, then automatically clean up any resources deployed on AWS"
-stratus detonate aws.exfiltration.backdoor-s3-bucket-policy --cleanup
+stratus detonate aws.exfiltration.s3-backdoor-bucket-policy --cleanup
 ```