Generate payloads with state-of-the-art evasion techniques at the click of a few buttons
PE Payload Generator is one of the core tools in the OST arsenal, designed to enable users to create PE based payloads that can be used for numerous purposes during red team engagements. Red teamers can often be bogged down when having to generate advanced payloads, as it can be time consuming, typically requires specialized malware and EDR bypass knowledge and introduces chances for OPSEC mistakes. With PE Payload Generator, this process is not only simplified, payloads are also enhanced with expertly researched techniques for anti-forensics and EDR evasion.
Payload Generator Use Cases
Payload Generator is ideal for the following red teaming use cases:
Achieving Initial Access
Infiltrate the target environment with payloads that can be embedded in phishing emails, deployed in malware droppers, hosted on websites for drive by downloads, etc.
Gaining Persistence
Establish and maintain a foothold with payloads to be placed in locations for maintaining persistent access.
Escalating Privileges Administrative access can be obtained using payloads for escalation techniques such as DLL hijacking or UAC bypass.
Lateral Movement
Use payloads in file formats that can be used for moving lateral to other systems.
Providing a Leg-up
Overcome unexpected obstacles to still achieve engagement objectives using payloads that white team members can plant or execute.
Easy EDR evasion
Quickly create payloads using built-in EDR presets to evade specific EDRs.
The Payload Generator Workflow
Payload Generator follows a simple workflow:
- Select output file type and input payload
- Payload configuration using EDR presets, or
- Payload configuration using manual selection of obfuscation techniques
- Compilation and deployment
1. Payload type selection
Users can configure various parameters of the payloads to tailor them to specific needs and scenarios. This includes:
- Output format – The output format, such as executable files (EXE), control panel applets (CPL), dynamic link libraries (DLL), Excel add-ins (XLL), Word add-ins (WLL), etc.
- Location – The actual payload that is executed, this could be staged (remote), stageless (embedded), local path, or predefined
2. Payload configuration via EDR Presets
Once file type and location have been determined, users will need to configure their payload. One way to simplify and save time is by using EDR presets.
A preset is a predefined configuration set known to evade a specific EDR. These presets allow red team operators to easily create payloads with a wide range of decoy tricks, binary transformation options, payload transformation options, encryption and compression, process creation techniques, OPSEC tricks, and many more without the need to have detailed EDR bypassing knowledge and experience.
Instead of going through the many, many options manually, users are able to maximize efficiency by pre-selecting specific settings for the rest of Payload Generator that have proven successful for bypassing specific EDRs. These presets do not prevent end users from getting creative and finding new novel bypasses.
New presets can also be shared back to the OST community, allowing for quick feedback cycles for all OST red teamers.
3. Payload configuration via manual Configuration
Obfuscation techniques can also be manually configured. Operators can choose from 40+ different options, including:
- Binary transformation with sleeping or prepended random shellcode
- Injection techniques such as In-process, KernelCallbackTable, Entrypoint Hook, in-process, Entrypoint hooker, write hook, Early Cascade, and more
- OPSEC techniques such as Clear PI callback, drip allocations, unhooking techniques, WDEG bypasses, etc of ROP gadgets, etc.
- Guardrails such as forensic detection, domain-joined detection, but also specific date-time periods for execution and pinning parameters.
- Social engineering tricks for specific output file formats such as popups for Excel files.
- Metadata modification
For a more thorough overview, watch the short demo video:
4. Compilation and Deployment
After the payload is fully configured, it is ready for compilation. Just click the ‘Build’ button and the OST backend provides a structured and OPSEC safe compilation of the selection payload and options. Now it is up to the red team operator to download the output and deploy in their operation. This could be as part of a phishing campaign, to serve as persistence or any other step modern red teamers face.
Benefits of Payload Generator
PE Payload Generator is unlike any other tool on the market, as it offers several unmatched advantages.
Advanced Payloads with Enhanced EDR Evasion
Payload Generator can create complex payloads that can take engagements to the next level by enhancing antivirus and EDR evasion and incorporating robust anti-forensic features. Using research from the Outflank team and user community input, red teamers are equipped with payloads that are harder to detect and analyze, even by the most sophisticated defensive tools.
Integration with Other Tools
Payload Generator is designed to work seamlessly with other tools in the OST suite. For example, Payload Generator can be used in conjunction with Lateral Pack to create payloads for lateral movement techniques like remote code execution. At the same time, an implant generated by Builder or the Outflank C2 implant builder is easily available to select within Payload Generator.
Payloads can easily be deployed through Outflank C2 (formerly Stage1), OST’s custom Command & Control framework. Payload Generator is also ideal for work with Cobalt Strike, increasing the overall evasiveness of payloads and extending the reach of these two tools to further enhance testing efforts. Additionally, Payload Generator can use input payloads of other C2 frameworks used by red teams for maximum flexibility.
Unique Research and Regular Updates
Outflank’s seasoned team of security professional regularly conducts research and cutting-edge offensive capabilities into Payload Generator. This commitment to innovation allows Payload Generator to deliver payloads with unparalleled stealth and evasion capabilities.
Additionally, evasive configuration sets are frequently identified during red team engagements, so users can also contribute to the ongoing development of Payload Generator. By sharing their discoveries through a secure form available through the user portal, fellow OST community members gain additional operational advantages.
Usability
Payload Generator has an intuitive user-interface and extensive documentation available on the portal. This allows all members of a red team to easily generate and deploy advanced payloads without requiring deep technical expertise. Usability is maximized within the interface itself, with explanations available through hover over tooltips.
Want to Learn More About Payload Generator?
Join one of our live demonstrations to see Payload Generator, and other OST tools, in action.