As 2024 nears its end, we feel it is a great time to look back at what we achieved in 2024.
TLDR: No one would call this a quiet year for Outflank.
OST Releases: New Tools and Major Releases
22 releases! We managed to put out 22 releases of OST in 2024.
Rapid development remains a cornerstone of OST and has allowed us to match the pace of evolving threat landscape to deliver cutting edge tools and capabilities. We have a release note tracker covering every release, but highlights include:
EDR Presets
With EDRs becoming more powerful, and bypasses requiring more EDR-specific tricks, it was becoming hard to keep track of the countless options OST operators have for evasion of those EDRs. Our solution: EDR presets. A preset is a predefined configuration set that uses multiple evasion techniques and has been proven to bypass specific EDRs at a given point in time. Though they only debuted this year, presets are already a key feature of PE Payload Generator.
Though presets dramatically increase efficiency, they do have a limited shelf life. While the Outflank team updates and maintains the library of effective presets, we decided that this new feature also provided an opportunity for collaboration with our user community. This has quickly proven fruitful—we have already received 23 EDR bypass presets from community members! More details about this introduction was detailed in our blog post and can be seen in action in a short demo video we created.
Outflank C2
With its evolution from an initial access tool to a full-featured C2 framework, we decided it was time to rebrand our C2 framework, Stage 1, to Outflank C2. With this rebrand came exciting new capabilities. Most notably, full native support for Windows, macOS and Linux implants, full linking, and SOCKS proxying capabilities were added, making Outflank C2 impressively versatile. More info can be in our release blog introducing Outflank C2 and it can be seen in action in a short demo video.
In-Phase Builder
In-Phase Builder is an easily extendible tool that allows operators to create script-based payloads for initial access. Each transformation in the infection chain has been carefully optimized for OPSEC and incorporates tradecraft that reduces victim-facing warnings or converts them to less alarming notifications.
This tool also includes our fully weaponized research into an initial infection file format that faces fewer browser restrictions and Mark-of-the-Web controls compared to conventional formats.
PhisherPrice
PhisherPrice is more than just an awesome pun— this handy tool that helps with performing Azure Device Code Flow phishing. Minimal setup is required to self-host a convincing phishing website and capture those Azure authentication tokens, allowing another way to gain initial access to your target organisation.
ROADtune
The Outflank team worked with Dirk-jan Mollema of Outsider Security to create this new tool for offensive Intune operations. This tool is exclusive to OST customers only.
ROADtune abuses non publicly known insecurities in Microsoft Intune with the goal of getting into a target network. A full attack chain with ROADtune allows operators to enroll a fake compliant device into a target’s Intune environment and download applications pushed to compliant devices. Red teamers can then analyse those applications and use these to progress the attack. For example, you could use a pushed VPN application to gain access to the network, gather and abuse credentials stored in those applications, etc.
OPSEC Improvements
Lastly, we made numerous OPSEC improvements this year, including new loaders, new injection techniques, new droppers, new guardrails. Basically, too many and too private to mention details here. However, for one specific case we did publish publicly, namely the Early Cascade Injection technique we blogged about, and subsequently was picked up by other researchers here and here. This is a stealthy technique that effectively evades even top tier EDRs. Obviously until the EDR vendors play catch-up again. We hope you can make the most of this public research while it lasts…
Tradecraft
In addition to tooling, a fundamental pillar of OST is tradecraft. OST users have access to exclusive technical deep dives to demonstrate effective tool usage within OST and deliver broader operational guidance. This year’s topics included:
- EDR Tradecraft & Presets
- PowerShell Tradecraft
- Microsoft Defender Static Signature Detection
- macOS and Linux operations with OST
- ROADtune
Global Knowledge Sharing
Outflank has always been dedicated to advancing the red team community through various knowledge sharing initiatives. We started the year off with a bang with a free training on Microsoft Office offensive tradecraft. We were aiming for 100 registrants—and ended up getting over 1000 in just 48 hours.
For the rest of the year, team members traveled the globe to present at different conferences, including: x33fcon, Blackhat US, Troopers, Ekoparty, Sikkerhetsfestivalen, OrangeCon, TIBER EU provider conference, BSides Austin, Beacon, and OffensiveX Greece.
We also ran RedTreat for the third year in a row together with MDSec. This closed-group red teaming conference has become a trusted environment where red teamers can openly discuss sensitive offensive techniques, share detailed tradecraft, and explore cutting-edge methodologies. Naturally, we will not share what was discussed there 😉.
Lastly, while it may not technically be knowledge sharing, Outflank did co-sponsor the InfoSec Kart Cup. This event not only allowed us to put our racing skills to the test, it was also great to network with fellow InfoSec professionals. A 2025 edition is currently planned for. More news on this will be coming soon 🏎️.
Red Team Engagements
While Outflank has shifted to a more product-oriented focus, we also conducted both TIBER and non-TIBER red team engagements in 2024. We remain passionate red teamers at our core, and this allows us to flex and strengthen our offensive muscles through ongoing operations and also spark numerous new research and tool ideas. Throughout these engagements, we utilize OST, which began as our personal red team toolset. This has created a powerful feedback loop where our field experience directly informs product development, and new capabilities are battle-tested in actual operations.
2024 has been a transformative year for Outflank, marked by significant evolution in our tooling and capabilities. As we look to 2025, we’re eager to build on this momentum, explore new approaches, and deliver more tools that support and simplify red team operations.
If you’re interested in seeing all of the diverse offerings in OST mentioned in this blog, we recommend scheduling an expert led demo.