Release history
Stratus Red Team | DataDog releases
cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud
All releases
13 shown
v2.31.1
Bug fix
Fixed expired Terraform public key issue when downloading hc-install.
Full changelog
Bugfix
Bumping the hc-install library version to fix a expired pubkey issue when downloading Terraform
Changelog
- ab1e2f9ce93428e8e1fca7f4d2d4a13fdca29280 Brew formula update for stratus-red-team version v2.31.0
- c1b051836478233386778e1ace599dd658c5945c Bump hc-install to o.9.4 to fix tf pubkey expired issue (#839)
- 2fc0e0413d1e0e7ceb264d4286fc17deec0a3fa1 Merge pull request #836 from DataDog/homebrew-update-2.31.0
- e2cd34b27aed63d4c48ca3476aae14b08ab75a56 Update maintainer list (#840)
v2.31.0
New feature
Notable features
- Support for using an S3 bucket to store internal and Terraform state
- Ability to launch the runner with custom StateManager, TerraformManager, ProviderFactory, Config, and CorrelationID options
- Option to use an existing Terraform binary instead of auto‑downloading one
Full changelog
Changelog
New attack techniques:
- Backdoor Azure Managed Identity with Federated Identity Credential (FIC) (Azure) by @siigil
- Backdoor Entra ID application with Federated Identity Credential (FIC) (EntraID) by @siigil
- Attempt to Remove a GCP Project from its Organization (GCP) by @Minosity-VR
- Delete a Cloud DNS Logging Policy (GCP) by @Minosity-VR
- Disable Data Access Audit Logs for a GCP Service (GCP) by @Minosity-VR
- Disable VPC Flow Logs on a Subnet (GCP) by @Minosity-VR
- Disable a GCP Log Sink (GCP) by @Minosity-VR
- Read GCE Instance Metadata via the Compute API (GCP) by @Minosity-VR
- Reduce Log Retention Period on a Cloud Logging Sink Bucket (GCP) by @Minosity-VR
New features:
- e26e2c6779ee1a0d5f35c0252605a1f3a5eb6565 Programatic usage now supports using a S3 bucket for internal and terraform state (#834)
- 09d59fa3da9ce8730e79c07b76e177cf6da6b0db Programmatic usage now supports options to launch the runner with custom StateManager, TerraformManager, ProviderFactory, Config, and CorrelationID (#817)
- 23d67d2456cb602b9439256b8a93831ed3c7d19c Programmatic usage now supports using an existing terraform binary instead of downloading its own (#819)
- 8b93c93b6d41fb9d01376a88a362fb9f7449c1dd Programmatic usage now supports running the runner with configurable cloud credentials rather than relying on the environment (#832)
Chores
- eb00e09d05c10dc5d863caf2e665f5a1885bda6b Brew formula update for stratus-red-team version v2.30.0 (#816)
- d6e0077f54b5ed8a5354a483680fe46dcc41c959 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#812)
- 30c4576acfd24e3651043aeadd5087a6717590f3 Bump dominikh/staticcheck-action from 1.4.0 to 1.4.1 (#811)
- bd72c7bc3e18c9e3792736fe89d982b31b11ebfb Bump github/codeql-action from 3.30.5 to 4.34.1 (#813)
- 3ea7acb86fb1a310f757498f6288f3e82bf30bf3 Bump hashicorp/setup-terraform from 3.1.2 to 4.0.0 (#814)
- 4aaaa8b2c11a4798781df3778711ad80dcb33df9 Bump step-security/harden-runner from 2.15.0 to 2.16.0 (#815)
v2.30.0
New feature
Notable features
- Support for YAML configuration files
Full changelog
Changelog
New features:
- 53c92120cddf8851deaba184632c14a0bada0f6b Stratus Red Team now supports a YAML configuration file (#721). See the documentation: https://stratus-red-team.cloud/user-guide/getting-started/#configuration-file
Docs enhancements:
- 67045a5b598b8204ca28b93f260898071f96194b [cmd] - Add example for CLI expand (#763)
Bug fixes:
- 1ec5593b8a6c791bce11b8511839b4555c640621 Use DisassociateLifecycleConfig instead of setting name to empty string (#781)
Chores:
- 18ffc8007bec0ce91c684d2765b0f6f0249b4f1a (fix)[CI] - Allow release-assets.githubusercontent.com in harden runner (#782)
- c5a0a89f925557456c097763f126d076ce53d6bf Fix static analysis CI by using actions/setup-go (#785)
v2.29.0
New feature
Notable features
- New attack technique: Elevate to User Access Administrator at Root Scope (Entra ID)
Full changelog
Changelog
- b0616e1433b76a80a26e3ce9eccb5121481785e3 Brew formula update for stratus-red-team version v2.28.0 (#770)
- 7be0afd4a92c10fcddff85c57e95e1f18e709c80 New attack technique: Elevate to User Access Administrator at Root Scope (Entra ID) (#771)
v2.28.0
Maintenance
Minor fixes and improvements.
Full changelog
Changelog
Notable changes:
- 42ac9309149d1e1abbac20b8109bc508f073a00b Move the CLI root command to its own package (#762)
- 579cf000352843ad050e7a83976ca0f45993bc7e Bump terraform version to 1.3.10 (#769). Note: this only impacts the embedded Terraform binary version and shouldn't require any action, including when upgrading your Stratus Red Team version.
Bug/docs fixes:
- cbdb60d103f167c4a83edd1aa7c998ea6b1e067a Fix Azure technique code blocks (#754)
Chores:
- 0916e1c783a7c9b665266d78202426c2db1a601f Brew formula update for stratus-red-team version v2.27.0 (#753)
- 70115ca1845bf1b52d15536f7083c5168c9f846d Bump actions/checkout from 6.0.1 to 6.0.2 (#767)
- c33520969d52a141139f3f6ac45032ddbcb6720d Bump actions/setup-python from 6.1.0 to 6.2.0 (#766)
- 72efc019051bced9f46d4f68bf6f3d584e1bc7b5 Bump docker/login-action from 3.4.0 to 3.7.0 (#765)
- 57e8c20828e4b5438d71df17531efebcb4f75f1b Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 (#768)
- bbaa90dae941ce1b72234e0b9a4c42a2294a5c54 Bump step-security/harden-runner from 2.13.1 to 2.15.0 (#764)
v2.27.0
New feature
Notable features
- Four new GCP attack techniques: multi-zone instance creation, GPU VM creation, stealing default service account token from outside GCP, and enumerating SA permissions.
- Added AGENTS.md documentation and two agent skills: create-attack-technique and test-attack-technique
Full changelog
Changelog
New attack techniques:
- Create GCE instances in multiple zones (GCP) by @christophetd
- Create a GCE GPU virtual machine instance (GCP) by @christophetd
- Steal and use GCE default service account token from outside Google Cloud (GCP) by @christophetd
- Enumerate Permissions of a GCP Service Account (GCP) by @christophetd
Codebase improvements:
- Added AGENTS.md
- Added create-attack-technique agent skill
- Added test-attack-technique
v2.26.0
New feature
Notable features
- Azure Blob Storage ransomware technique using client-managed Key Vault key via Encryption Scope
- GCP technique to register an SSH public key to instance metadata
Full changelog
Changelog
New attack techniques:
- Azure Blob Storage ransomware through Encryption Scope using client-managed Key Vault key (Azure), by @jbfeldman-dd
- Register SSH public key to instance metadata (GCP) by @xathrya
v2.25.0
Maintenance
Minor fixes and improvements.
Full changelog
Changelog
New attack techniques:
- Exfiltrate Azure Storage via public access by @siigil
- Exfiltrate Azure Storage through SAS URL by @siigil
- Delete Azure resource lock by @siigil
v2.24.1
Maintenance
Minor fixes and improvements.
Full changelog
Changelog
Chores:
- ebb6d4b187083a38eb71229e0f0069571af5197c CI: Validate release tags (#738)
- 1d3ff2a9ea978530d27478299dd7ddbfb62df6f0 Merge pull request #735 from DataDog/simon.marechal/release-increase-parallelism
- 023b2e69c2888dc1a1bdf0c697c13198618b79bd [chores] Bump GitHub Actions and Go module dependencies (#736)
- d8dcdf20c6fbc7372931a8d10e3ba0b1ce8e3717 [docker] Bump alpine from 3.22.2 to 3.23.3 (#727)
v2.24.0
Maintenance
Minor fixes and improvements.
Full changelog
Changelog
New attack techniques:
- cf06703b93fc834e36f791cb1b8f04bc50eec886 Azure ransomware via Storage Account Blob deletion (#725) by @jbfeldman-dd
- 1150fa38d9c2330d0456e8b64db03c5a2f84bd77 Execute Commands on SageMaker Notebook Instance via Lifecycle Configuration
(#709) by @gdraperi
Chores:
- CI configuration updates
- Dependencies bumps
v2.23.2
New feature
Notable features
- Adds WaitForInstancesToRegisterInSSM to ec2-enumerate-from-instance technique
Full changelog
Changelog
Chores:
- d5d25aba6f338933911002f186d238bf175d5d3a (chores) Bump library versions
- 039a1c1e49aef688995a3711e7bbdc7646ba7900 Brew formula update for stratus-red-team version v2.23.1 (#638)
- 83d6cdf2ef1f4922e3a08393116e79f0fba04120 Bump actions/setup-python from 5.3.0 to 5.4.0 (#641)
- d33e734da861a9331ba0ae80082beed9c2e82022 Bump actions/upload-artifact from 4.6.0 to 4.6.1 (#639)
- f06d33fdf8c9db76490ce624795913ccea985bb4 Bump actions/upload-artifact from 4.6.1 to 4.6.2 (#665)
- d9178c3c49a30893161fd47f67b1d7aa324e847c Bump alpine from 3.21.2 to 3.21.3 (#645)
- 526166ed497dbf7e4a40907b36821095c6112b86 Bump docker/build-push-action from 6.13.0 to 6.15.0 (#643)
- bf4ee084a3a8f211eb6a19b8048a439f4428c396 Bump docker/login-action from 3.3.0 to 3.4.0 (#668)
- e577bbacb0408dc2e3f6b46c56d6d3a10fe99825 Bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 in /v2 (#662)
- 959efe6440f984fa36fb941062dee99b99a2ce40 Bump github/codeql-action from 3.28.10 to 3.28.13 (#667)
- 60a57f1b6cee00f50ca2abdf03829a347df6dc87 Bump github/codeql-action from 3.28.8 to 3.28.10 (#640)
- 1888409712df23b72ee780b7a007a7580bab6f16 Bump golang from 1.23.5-alpine3.20 to 1.24.0-alpine3.20 (#644)
- 4c7a189e855d3f8c25e24491f1cee0299c7013df Bump golang from 1.24.0-alpine3.20 to 1.24.1-alpine3.20 (#670)
- 4af315ff672c7e23370104c6eba78c6ffe9f58de Bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#666)
- efc931b15897e88f0df0cfcf302e8d3327bcf27a Bump step-security/harden-runner from 2.10.4 to 2.11.0 (#642)
- 508060ea768e44296119f070c761b1e885971f4d Update armcompute to v4 to remove indirect dependency on github.com/golang-jwt/jwt (#687)
Enhancements:
- db34471165956856411016dd711c11170f0e343b fix: adds WaitForInstancesToRegisterInSSM to ec2-enumerate-from-instance technique (#664)
Documentation:
- aa4e8d33d92bb9c9667cd7b98997d36ac0dcd103 Coverage matrices: Update styling (#660)
- c1104b70e2ade6efb5d724fa9c376901379b8f7e Autogenerate attack tactics visualization 95 (#613) by @tmendonca28
- a0c41245ad050dfc4a6e78f75c99797e5a652ae2 Remove old attack technique documentation (closes #661)
- cc6aaad406653fbde17e53da7207ba4bbb0c6b63 [docs] Display MITRE ATT&CK tactics in appropriate order (closes #658) (#659)