Outflank C2

Innovative red teaming. Methodical by design. OpSec hardened. Focused on stealth.

Outflank C2 was created to serve as a lightweight, purpose-built command-and-control (C2) with a focus on a multitude of OPSEC features readily available out of the box, allowing the red team operator to focus on the job not on the compiler.

Back in 2020, Outflank C2 began as Stage1, a lightweight and purpose-built command-and-control (C2) framework, with a focus on emulating advanced threat actor tactics while maintaining a minimal footprint in heavily monitored environments. Over time, the tool evolved into Outflank C2, incorporating more advanced features, providing the technical depth required for complex adversary simulation against hardened targets.

What Sets Outflank C2 Apart

Outflank C2 is designed to address the need for an out-of-the box highly stealthy and operationally secure C2 and offers several distinct operational advantages, including:

Advanced OPSEC Research

Outflank C2 is built on a foundation of cutting-edge, continuous OPSEC research that addresses specific technical challenges faced by red teamers operating against modern defensive solutions.

By incorporating the latest advancements in tradecraft and focusing on evasion techniques, anti-forensics, and bypassing modern defensive mechanisms, operators can remain undetected even in environments with advanced security controls.

Below is a limited list of Outflank C2’s advanced evasion techniques to bypass modern EDR solutions:

  • Direct and indirect code injection
  • Use of hardware breakpoints
  • PI callback clearing
  • ETW blinding (plus BOF and .NET execution)
  • Advanced sleep masking – 7 methods (with more to come) which allow the configuration of sleep method, waiting method, and encryption types
  • Thread Stack Spoofing – multiple methods
  • Advanced options for OPSEC reflective loading such as stomping, exception handlers, and removal of Guard pages
  • Very granular Guardrail configurations to prevent running of payloads on sandboxes and other unwanted systems

All these options are available straight from the OST PORTAL. There’s no need to open an IDE to compile these yourself, which saves precious time during an operation and generally increases efficiency, plus decreases the risk for manual errors and OPSEC mistakes.

Native Implants

Outflank C2 has native implants for Windows, macOS and Linux. These implants are designed with platform-specific considerations in mind, designed to execute directly within the target environment written in OS native C/C++/ASM, i.e. not python or otherwise interpreted.

Outflank C2 has strong multi platform support and cross-platform capability, allowing red teams to maintain consistent operational workflows regardless of the target operating system. Each implant has network tunneling support using SOCKS proxy and portforward / rportforward commands. C2 comm can be both via HTTP(S) and TCP for macOS and Linux, while Windows implants add SMB and file based communications. Implant linking works OS agnostic so each platform can be linked to each other platform. Strong guardrails options line debugger detection, hostname keying and SSL pinning are built-in. Finally, each implant has support for dynamic code execution. Linux implants support ELF Beacon Object Files (BOF) and macOS implants can execute inline JXA while the Windows implant supports the multitude of code execution that you would expect.

TeamServer

The Outflank C2 TeamServer is installed on a Linux host and comes as a set of docker files. Clients connect to the TeamServer via the web browser. Automation of implant and server actions is done via Python and the installation comes with a core set of runbooks that provide examples for several automation tasks such as notification, implant commands, and other automations. More advanced automations can be shared in the OST community amongst other users.

Interoperability

Outflank C2 can work seamlessly with other tools and frameworks, creating a flexible ecosystem that extends across multiple dimensions:

  • Smooth operational workflow: Connects with other Outflank Security Tooling components like PE Payload Generator, Builder and Lateral Pack
  • Multi-Framework Operations: Designed to work alongside other C2 frameworks, allowing operators to leverage Outflank C2 alongside tools like Cobalt Strike
  • Cross-Framework Pivoting: Can load other C2 framework implants (such as Cobalt Strike) while providing sleep mask protection, creating hybrid operational capabilities
  • Beacon Object File Support: BOF loader that can execute existing BOFs without modification.

This interoperability allows red teams to build toolchains that leverage the strengths of multiple frameworks, adapting their approach to the specific requirements of each engagement.

Outflank C2 and Cobalt Strike: Complementary C2s

Differences

Both Cobalt Strike and Outflank C2 operate with distinct philosophies and functionalities, making them complementary rather than competing approaches in red team operations.

Outflank

OST prioritizes an agile approach, emphasizing continuous R&D and providing evasion capabilities out-of-the-box as part of a broader security toolkit. Outflank C2 is one tool within this suite. The Outflank C2 client is merely a web-browser, while it’s server is a Docker deployment.

Supported target platforms for the implants are Windows (mature), as well as macOS and Linux (both as native code, not interpreted). Although macOS and Linux implants are not as feature rich as their Windows counterparts, they do support all basic core functionality, plus proxying and linking – even cross platform.

The entire Outflank Security Tooling toolkit has frequent releases every few weeks, including regular updates to Outflank C2 specifically, in order to incorporate novel features to users as soon as possible. As OC2 implants are generated in the OST portal, updates can be used immediately without requiring to update the teamserver. Teamserver side automation is possible using Python.

Cobalt Strike

In contrast, Cobalt Strike’s sole purpose revolves around offering a battle-tested command and control framework that empowers red teamers to build their own custom tools and evasion techniques atop its mature foundation.

Its Java client, which connects to the team server, is feature rich and allows operators to do everything from the client. Cobalt Strike’s implants offer mature support for Windows and also allows ssh-tunneled Linux implants.

Given its extreme focus on stability and extensibility, Cobalt Strike has less frequent releases, grouping multiple features and improvements into larger releases that occur a few times a year. Automation is done via aggressor scripting, leveraging the many scripts generated by the community over the years.

Why Have Both?

There is a compelling technical case for incorporating both Outflank C2 and Cobalt Strike in sophisticated red team operations:

  • Balanced OPSEC Strengths: Outflank C2 excels in OPSEC out of the box using the latest tricks from the Outflank team, while Cobalt Strike excels in extreme flexibility where you bring your own evasion–the only limit is your own imagination!
  • Enhanced Operational Flexibility: Teams can maintain a high degree of control throughout the engagement, leveraging the strengths of each framework as needed.
  • Framework Interoperability: Outflank C2 can be used to augment Cobalt Strike operations with enhanced evasion. Cobalt Strike can be used to provide in-depth post-exploitation and broad community support after Outflank C2 is used.

By leveraging the unique strengths of both Outflank C2 and Cobalt Strike, red teams can conduct more comprehensive and realistic attack simulations, ultimately providing greater value when assessing and improving an organization’s security resilience.

Want to Learn More About Outflank C2?

Join one of our live demonstrations to see Outflank C2, and other OST tools, in action.

Schedule a Demo