Outflank Security Tooling (OST) Releases

Outflank Security Tooling (OST) is dedicated to staying up to date on the latest trends, threats, and techniques. With its innovative cloud delivery platform, OST is designed to maintain a steady development pace, with an average release of one-to-two new tools per quarter as well as regular updates to enhance existing tools. This timeline provides an up-to-date record of our ongoing advancements and includes not only new releases and updates, but also other activities that the research team engages in, such as knowledge sharing sessions that discuss tradecraft, evasion, and other relevant topics.

OST RELEASES

2025
June 4, 2025
CredentialPack: New HiveDump BOF

Read More

June 4, 2025

CredentialPack: New HiveDump BOF

CredentialPack:

  • HiveDump: New registry hive dumping tool that manually reads and parses the registry.

KernelKatz:

  • Added MSV support for Windows 24H2 and updated static offsets.

  • Bugfix for out-of-bounds reads on specific Windows versions.

Schedule a demo to learn more >

May 12, 2025
Cobalt Strike 4.11.1 Support

Read More

May 12, 2025

Cobalt Strike 4.11.1 Support

BeaconBooster

  • Support added for Cobalt Strike 4.11.1

Outflank C2

  • Small bug fixes for Blind ETW on start and in Clipmon from OC2 Async Pack

Schedule a demo to learn more >

May 1, 2025
Outflank C2: Asynchronous Task Support

Read More

May 1, 2025

Outflank C2: Asynchronous Task Support

Outflank C2

Asynchronous task support

  • Though BOFs were previously designed for synchronous operations, operators can now to roll out a network of sensors and stream these events to the C2 server for further processing – all while the implant is sleepmasked

 

Outflank C2 Async BOF Pack

  • This can monitor for various events, with an initial release consisting of four monitoring BOFs:
  • Usermon: Monitor and record user login events. Every login is recorded and printed
  • Procmon: Monitor for a specific application start
  • Clipmon: Monitor the clipboard, recording every new text copy
  • Keylogger: Record all entered keystrokes, including key modifiers and special keys
  • Usermon: Monitor and record user login events. Every login is recorded and printed

 

Bugfixes

  • Numerous bugfixes and minor improvements for payload generator, Ceaconbooster, languagePanda

Schedule a demo to learn more >

April 30, 2025
Revamped Portal for OST Docs

Read More

April 30, 2025

Revamped Portal for OST Docs

OST Portal

  • Users can now add new content and make edits to existing content that will be shared with the OST community

New Documentation Portal

  • Revised structure of documentation

  • Search function and dark mode added

Schedule a demo to learn more >

April 17, 2025
ShovelNG: Bring Your Own Execution Context (BYOEC)

Read More

April 17, 2025

ShovelNG: Bring Your Own Execution Context (BYOEC)

ShovelNG

  • With Bring your own Execution Context (BYOEC), it is now possible to configure ShovelNG to upload your own .exe to be used as execution context instead of one of the currently available LOLBINS

  • Added 5 pre-configured Execution Contexts

  • Additional execution configurations soon to come

Schedule a demo to learn more >

April 9, 2025
Configurable Proxy Support for Outflank C2 and Misc Updates

Read More

April 9, 2025

Configurable Proxy Support for Outflank C2 and Misc Updates

Outflank C2

  • Configurable proxy support has been added for both Windows as well as Linux/macOS implants. The implant will try this configurable option after direct and system/user proxy fails

  • Small bugfixes for BOFs and process creation

PE Payload Generator

  • RC4 encryption has been added and guidance for payload configuration has been updated

  • Small bugfix for EarlyBird/Cascade injection

RoadTune

  • App Store installable apps are now supported.

  • Install commands are not shown for apps by the IME client

  • Improvements for retrieval of user-scoped policies and assignments

KernelTool

  • Improved offset resolving

Schedule a demo to learn more >

March 26, 2025
Portal Quality of Life Update

Read More

March 26, 2025

Portal Quality of Life Update

Portal

  • This Portal update will bring many small changes to make usage and build flows more convenient, including the introduction of Evil-O-4000, who will now help and guide you, providing:

    • Input validation errors in PE Payload Generator

    • Inconsistencies/warnings between Outflank C2 and PE Payload Generator settings

    • Confirmation of input validation

Miscellaneous Bugfixes

  • Fixes for Outflank C2, PE Payload Generator, and EarlyCascade

Schedule a demo to learn more >

March 17, 2025
Red Team Management Tech DeepDive recording

Read More

March 17, 2025

Red Team Management Tech DeepDive recording

Red Team Management Tech DeepDive recording

  • Covering the non-technical part of red teaming, this DeepDive covers test plans, reporting, meetings with stakeholders, trust building, planning, and more.

BeaconBooster

  • Added compatibility for Cobalt Strike 4.11 release

 

 

Schedule a demo to learn more >

March 5, 2025
OC2: Secure Enclave Sleep Mask, New BOF loader, Guardrail Updates, New AMSI bypass

Read More

March 5, 2025

OC2: Secure Enclave Sleep Mask, New BOF loader, Guardrail Updates, New AMSI bypass

Outflank C2

  • New Enclave Sleep Mask added

  • New AMSI bypass: Novel data-only bypass

  • New BOF loader: Overhauled for increased flexibility and performance

  • Guardrails: Anti-sandbox guardrails now aligned with Payload Generator to provide same options and protection

PE Payload Generator

  • Cross product configuration checks added

EDR Presets

  • New community contributed EDR preset added

Schedule a demo to learn more >

February 20, 2025
New Sleep Mask & Updates for Outflank C2, Payload Generator, Portal

Read More

February 20, 2025

New Sleep Mask & Updates for Outflank C2, Payload Generator, Portal

BeaconBooster

  • New Enclave Sleep Mask added, based on research by Cedric Van Bockhaven and Matteo Malvica

  • x86 exception handling support added (also added to Outflank C2)

Outflank C2

  • APC dispatcher trickery added

  •  Maximum attempt counter added to forwarded messages

PE Payload Generator

  • Input validation box updated to show direct feedback

OST Portal

  • Help icon deeplinks added to navigate directly to the corresponding item in documentation

Schedule a demo to learn more >

January 30, 2025
New Tech Deep Dive & Preset

Read More

January 30, 2025

New Tech Deep Dive & Preset

Tech Deep Dive

  • Recording of the Secure Enclaves knowledge sharing session added to portal:

                – Deep dive into architecture of VBS enclaves

                – Full walkthrough demo with practical techniques for existing vulnerable enclave DLLs

EDR Presets

  • New community contributed EDR preset added

Schedule a demo to learn more >

January 15, 2025
Outflank C2, New Tech Deep Dive, HiddenDesktop

Read More

January 15, 2025

Outflank C2, New Tech Deep Dive, HiddenDesktop

Outflank C2

  • New Sleep Mask options added, ao allowing to configure the sleep thread state

  • Dynamic configuration of macOS implant proxy settings

  • Smaller tuning and bug fixes

Tech Deep Dive

  • Recording of the ROADtune knowledge sharing session added to portal:

                – Deep dive into Intune and ROADtune

                – Full walkthrough demo of PhisherPrice plus ROADtune

HiddenDesktop

  • Bugfix for uncommon screen resolutions

Schedule a demo to learn more >

2024
December 18, 2024
Cloudpack, Outflank C2, and EDR Updates

Read More

December 18, 2024

Cloudpack, Outflank C2, and EDR Updates

Cloudpack

  • ROADTune bugfix and additions

  • PhisherPrice now supports token resource tokens

  • Extra documentation

Outflank C2 Updates

  • BOF loader is now able to deal with BOFs BeaconPrintf-ing binary buffers from BOFs that aren’t programmed nicely

  • System proxy support for Linux and macOS

  • Several small bug fixes on additional HTTP headers

EDR Updates and Documentation

  • Added 2 new EDR presets

  • Improved OPSEC documentation

Schedule a demo to learn more >

December 4, 2024
Major OPSEC Update, New Loaders, and Outflank C2 Implant

Read More

December 4, 2024

Major OPSEC Update, New Loaders, and Outflank C2 Implant

New Loaders

BIG OPSEC Update

  • Full threat stack spoofing implemented on all system calls in the stagers, implant, and reflective loader

  • EarlyCascade update

  • Windows CET compatibility update

  • EDR finetuning for new EDRs

Outflank C2 Implant Update

  • Improved linked implants for DeepSleep

  • Added automatic user agent detection

  • Implemented extra guardrails

Schedule a demo to learn more >

November 20, 2024
Evasion Improvements and Bugfix Release

Read More

November 20, 2024

Evasion Improvements and Bugfix Release

Updates

  • Evasion improvement for PasswordSpy

  • Bugfix for ROADtune Android support

  • Bugfix for lateral movement via Shovel

Schedule a demo to learn more >

November 14, 2024
Linux and macOS Improvements

Read More

November 14, 2024

Linux and macOS Improvements

New Knowledge Session

  • Released a tech deepdive on macOS and Linux operations with OST

Updates

November 6, 2024
Guardrails and Anti-sandboxing

Read More

November 6, 2024

Guardrails and Anti-sandboxing

Updates

  • Improvement on the guardrail requirements to avoid sandbox analysis

Schedule a demo to learn more >

October 31, 2024
New Tool Release: RoadTune

Read More

October 31, 2024

New Tool Release: RoadTune

RoadTune

  • New tool for offensive Intune operations

  • Can emulate multiple device types, fake compliance and retrieve Intune packages for offline analysis

Updates

  • Enhancements to KernelKatz, FakeRansom and evasion presets

Schedule a demo to learn more >

October 9, 2024
New Knowledge Session

Read More

October 9, 2024

New Knowledge Session

Tradecraft

  • Knowledge session on MS defender static detections now available on portal

Updates

  • Overall quality of life improvements & smaller bug fixes

Schedule a demo to learn more >

September 25, 2024
EarlyCascade Extension and More

Read More

September 25, 2024

EarlyCascade Extension and More

EarlyCascade – Extension

  • EarlyCascade injection is now also available in Outflank C2 (formerly Stage1) and ShovelNG

Outflank C2 & PE Payload Generator

  • New options and GUI improvements to allow more operator flexibility

Evasion

  • Added 5 new community contributed EDR presets

Schedule a demo to learn more >

September 11, 2024
EarlyCascade Injection in Payload Generator

Read More

September 11, 2024

EarlyCascade Injection in Payload Generator

EarlyCascade Injection in Payload Generator

  • Added a novel injection technique called ‘EarlyCascade’

  • Added ‘freeze’ as a new process creation method

  • New ‘Embed in section’ option

  • Relative local paths are now supported

Updates

Schedule a demo to learn more >

August 19, 2024
BeaconBooster CS 4.10 Compatibility

Read More

August 19, 2024

BeaconBooster CS 4.10 Compatibility

BeaconBooster CS 4.10 Compatibility

  • Updated Beacon Booster’s Sleep Masks for compatibility with the new version of Cobalt Strike

  • Added address spoofing for Beacon Gate

Schedule a demo to learn more >

August 15, 2024
Outflank C2: New macOS & Linux implants

Read More

August 15, 2024

Outflank C2: New macOS & Linux implants

Outflank C2: New Name & New Features

  • Native Implants: Tailored for each OS, both implants are written in C/C++/ASM

  • Full Implant Capabilities: Dynamic Execution (BOF/JXA), network tunneling, http & tcp beacons

  • Guardrails & High OPSEC: Our research into macOS & Linux EDR was incorporated in developing the implant

  • In-Phase Builder: Capabilities to generate/transform raw shellcode in various macOS or Linux formats

  • Stage1 has been renamed Outflank C2

Schedule a demo to learn more >

July 24, 2024
PhisherPrice: OST Attacks the Cloud!

Read More

July 24, 2024

PhisherPrice: OST Attacks the Cloud!

New Tool Release: PhisherPrice

  • This new tool adds to OST capabilities for attacking EntraID device code flow.

Updates

  • Bugfixes

  • Various infrastructure changes

Schedule a demo to learn more >

July 2, 2024
New EDR Presets, (OPSEC) Improvements & Bugfixes

Read More

July 2, 2024

New EDR Presets, (OPSEC) Improvements & Bugfixes

PE Payload Generator:

In-Phase Builder

  • Updated .Net shellcode loader as follow-up after the Elsatic Blog

Stage1 C2

  • Update for KernelCallbackTables injection and Module Stomping

  • Bugfixes

BeaconBooster

  • Implemented evasion for Windows Defender Emulator

 

 

Schedule a demo to learn more >

June 11, 2024
Updates to C2 Tool Collection and Bugfixes

Read More

June 11, 2024

Updates to C2 Tool Collection and Bugfixes

CreateService BOF

  • New BOF for creating/stopping/deleting services

Updates

  • Small updates for various tools, including WdToggle and In-Phase Builder

Schedule a demo to learn more >

May 23, 2024
In-Phase Builder – Initial Access to the Max!

Read More

May 23, 2024

In-Phase Builder – Initial Access to the Max!

New tool in beta: In-Phase Builder

  • This is an incredibly powerful framework for generating and working with file formats and is easily extendible.

  • Each file format transformation has been implemented in the infection chain and optimized for OPSEC.

  • Chains include new tradecraft to decrease the number of warnings/popups a victim will see or change some popups to less scary ones.

  • The tool incorporates our research and full weaponisation of an initial infection file format that has less stringent browser controls and Mark-of-the-Web blocks than most known formats.

    Schedule a demo to learn more >

May 8, 2024
New SpawnAs and UAC Bypass Features in Stage1

Read More

May 8, 2024

New SpawnAs and UAC Bypass Features in Stage1

Stage 1

  • Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass

PE Payload Generator, Stage 1, and ShovelNG

April 11, 2024
New Misc Tools, Relaying Research and Quality of Life Updates

Read More

April 11, 2024

New Misc Tools, Relaying Research and Quality of Life Updates

 

EDR Evasion

  • Evasive features ported towards ShovelNG for lateral movement

  • Additions of new EDR presets

Stage1

  • Major performance enhancement of SOCKS

Misc Features and Updates

  • New Keylogger and capability for remote command execution over WSMan

  • Inclusion of new relaying research

  • Updates to several tools to support new Windows versions, features, bugfixes, etc

Schedule a demo to learn more >

March 20, 2024
Mega EDR Fine Tuning and Bypass Release

Read More

March 20, 2024

Mega EDR Fine Tuning and Bypass Release

 

  • This release is the result of several man-months of research on stealthiness and evasion.

  • OST tools PE Payload Generator, Stage 1 C2, and Lateral Pack’s Shovel NG are now even better equipped to bypass major EDRs as a result of tweaked remote process injection techniques, smarter unhooking, and a new sleep mask.

    Schedule a demo to learn more >

March 7, 2024
EDR Evasion, Tech Deep Dive, and Bugfix Release

Read More

March 7, 2024

EDR Evasion, Tech Deep Dive, and Bugfix Release

 

  • EDR info has been extended and presets are now available for a total of six major EDRs.

  • A cheat sheet is now available for the “OPSEC tricks for attacking Azure AD with ROADtools” recording.

  • Numerous small bugfixes have been implemented.

Schedule a demo to learn more >

February 19, 2024
PowerShell Tradecraft and New OPSEC Features

Read More

February 19, 2024

PowerShell Tradecraft and New OPSEC Features

Tool category: PowerShell Tradecraft

  • PSPipeJack: This new tool uses a novel lateral movement technique for abusing tricks in Powershell, bringing back PowerShell for red teamers. It can be used as dedicated tool, both in Stage 1 C2 or in Cobalt Strike.

  • PowerShell support has been added to Stage 1 C2 with obvious security bypasses.

Schedule a demo to learn more >

January 31, 2024
Tech Deep Dive and new EDR presets

Read More

January 31, 2024

Tech Deep Dive and new EDR presets

Tech DeepDive Recording

  • Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.

EDR Evasion / Payload generator & documentation

  • Two new PE Payload Generator EDR presets.

Schedule a demo to learn more >

January 17, 2024
Major Updates for EDR Evasion

Read More

January 17, 2024

Major Updates for EDR Evasion

 

Updates:

Tool category: EDR Evasion/Payload Generator/Documentation

Payload Generator:Payload generator now provides guidance on configuration options for specific EDRs.

• Documentation enhanced with technical details on evasion, strategies and how to best use OST.

• Minor bugfixes for Stage 1 and EvilClicky

 

Schedule a demo to learn more >

2023
December 20, 2023
Updates to Hidden Desktop and Stage 1

Read More

December 20, 2023

Updates to Hidden Desktop and Stage 1

 

Updates:

Tool category: Out-phase/Exfiltration

Hidden Desktop: Complete rewrite, BOF format and various new functionality

• New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)

 

Schedule a demo to learn more >

December 11, 2023
New Exploit Release: Ivanti Secure Access VPN Client

Read More

December 11, 2023

New Exploit Release: Ivanti Secure Access VPN Client

 
 

Tool category: Privilege Escalation/Misc

• Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc

 

Schedule a demo to learn more >

November 29, 2023
Updates to ShovelNG and Cloud OPSEC Session

Read More

November 29, 2023

Updates to ShovelNG and Cloud OPSEC Session

 

Updates:

Tool Category: Lateral Movement

• Enhanced ShovelNG (lateral movement) for increased evasion/OPSEC

Knowledge Sharing:

Category: Cloud OPSEC

Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema

Schedule a demo to learn more >

November 8, 2023
Sleep Mask Additions & New C2 Tools

Read More

November 8, 2023

Sleep Mask Additions & New C2 Tools

 

Tool category: Command & Control

•  Stage 1 new configurable Sleep Masks

•  Cobalt Strike Integrations update: New evasive Sleep Mask added

 

Updates:

•  Outflank C2 Tool Collection updates including 3 new tools

•  Extended support for arbitrary .NET projects

 

Schedule a demo to learn more >

 

October 10, 2023
New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask

Read More

October 10, 2023

New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask

 

Tool category: Command & Control

 

Schedule a demo to learn more >

October 3, 2023
New Tool Release: regcertipy & Updates to Kerneltool

Read More

October 3, 2023

New Tool Release: regcertipy & Updates to Kerneltool

 

Tool category: Internal Recon

•   New tool release: regcertipy – identifying certificate templates via registry updates

 

Updates:

•   Updated Kerneltool with additional supported kernel/OS versions

 

Schedule a demo to learn more >

September 6, 2023
Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers

Read More

September 6, 2023

Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers

 

Release type: Knowledge Sharing

•   Added Tech Deep Dive video on Stage 1 automation
•   Added Tech Deep Dive video on Windows Kernel Drivers

 

Schedule a demo to learn more >

August 16, 2023
Updates to PE Payload Generator & Cobalt Strike Integration UDRL

Read More

August 16, 2023

Updates to PE Payload Generator & Cobalt Strike Integration UDRL

 

Release type: Updates

•   PE Payload Generator now has a new loader with favorable OPSEC properties
•   Cobalt Strike Integration UDRL added new loader, and added YARA bypass information

 

Schedule a demo to learn more >

July 26, 2023
Updates to PE Payload Generator, KernelTool & Kernelkatz

Read More

July 26, 2023

Updates to PE Payload Generator, KernelTool & Kernelkatz

 

Release type: Updates

•   PE Payload Generator now supports .node files
•   KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
•   KernelTool support for DSE disabling
•   KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support

 

Release type: Knowledge Sharing

•  Added ClockOnce video to Tech DeepDive section

Schedule a demo to learn more >

July 19, 2023
New tool release: Stage1 v2.4.0

Read More

July 19, 2023

New tool release: Stage1 v2.4.0

 

Tool category: Command & Control

•  New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements

 

Schedule a demo to learn more >

July 5, 2023
New tool release: Cobalt Strike Integrations on UDRL

Read More

July 5, 2023

New tool release: Cobalt Strike Integrations on UDRL

 

Tool category: Command & Control

•   New tool release: Cobalt Strike Integrations on User Defined Reflective Loader

 

Schedule a demo to learn more >

June 26, 2023
Q2 2023 Update Review

Read More

June 26, 2023

Q2 2023 Update Review

 

Release type: Knowledge Sharing

•  Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023

 

Schedule a demo to learn more >

June 21, 2023
New Tool Release: EvilClicky – ClickOnce Payload Generator

Read More

June 21, 2023

New Tool Release: EvilClicky – ClickOnce Payload Generator

 

Tool category: Initial Access

 

Schedule a demo to learn more >

May 10, 2023
New Tool Release: KernelKatz

Read More

May 10, 2023

New Tool Release: KernelKatz

 

Tool category: Credential dumping

•  New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver

 

Schedule a demo to learn more >

April 26, 2023
New Tool Release: DumpMstsc & Updates to KerberosAsk, KernelTool, ShovelNG

Read More

April 26, 2023

New Tool Release: DumpMstsc & Updates to KerberosAsk, KernelTool, ShovelNG

 

Tool category: Credential dumping

•  New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process

Updates:

•  New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)

 

Schedule a demo to learn more >

April 12, 2023
Updates to Stage 1 & Opsec/Evasion

Read More

April 12, 2023

Updates to Stage 1 & Opsec/Evasion

 

Tool category: Command & Control

Stage 1 new commands & opsec/evasion updates

 

Schedule a demo to learn more >