Outflank Security Tooling (OST) Releases

Outflank Security Tooling (OST) is dedicated to staying up to date on the latest trends, threats, and techniques. With its innovative cloud delivery platform, OST is designed to maintain a steady development pace, with an average release of one-to-two new tools per quarter as well as regular updates to enhance existing tools. This timeline provides an up-to-date record of our ongoing advancements and includes not only new releases and updates, but also other activities that the research team engages in, such as knowledge sharing sessions that discuss tradecraft, evasion, and other relevant topics.

OST RELEASES

2024

New Knowledge Session

Tradecraft

  • Knowledge session on MS defender static detections now available on portal

Updates

  • Overall quality of life improvements & smaller bug fixes

Schedule a demo to learn more >

EarlyCascade Extension and More

EarlyCascade – Extension

  • EarlyCascade injection is now also available in Outflank C2 (formerly Stage1) and ShovelNG

Outflank C2 & PE Payload Generator

  • New options and GUI improvements to allow more operator flexibility

Evasion

  • Added 5 new community contributed EDR presets

Schedule a demo to learn more >

EarlyCascade Injection in Payload Generator

EarlyCascade Injection in Payload Generator

  • Added a novel injection technique called ‘EarlyCascade’

  • Added ‘freeze’ as a new process creation method

  • New ‘Embed in section’ option

  • Relative local paths are now supported

Updates

Schedule a demo to learn more >

BeaconBooster CS 4.10 Compatibility

BeaconBooster CS 4.10 Compatibility

  • Updated Beacon Booster’s Sleep Masks for compatibility with the new version of Cobalt Strike

  • Added address spoofing for Beacon Gate

Schedule a demo to learn more >

Outflank C2: New macOS & Linux implants

Outflank C2: New Name & New Features

  • Native Implants: Tailored for each OS, both implants are written in C/C++/ASM

  • Full Implant Capabilities: Dynamic Execution (BOF/JXA), network tunneling, http & tcp beacons

  • Guardrails & High OPSEC: Our research into macOS & Linux EDR was incorporated in developing the implant

  • In-Phase Builder: Capabilities to generate/transform raw shellcode in various macOS or Linux formats

  • Stage1 has been renamed Outflank C2

Schedule a demo to learn more >

PhisherPrice: OST Attacks the Cloud!

New Tool Release: PhisherPrice

  • This new tool adds to OST capabilities for attacking EntraID device code flow.

Updates

  • Bugfixes

  • Various infrastructure changes

Schedule a demo to learn more >

Updates for Stage1 and Cobalt Strike UDRL

Evasion

  • Windows Defender sandbox detection for Cobalt Strike and Stage 1

Stage1 C2

  • Update for KernelCallbackTables injection and Module Stomping

Web Portal

  • Bugfix

Schedule a demo to learn more >

New EDR Presets & Bugfix

Payload Generator

Stage 1 C2

  • Bugfix

Schedule a demo to learn more >

Updates to C2 Tool Collection and Bugfixes

CreateService BOF

  • New BOF for creating/stopping/deleting services

Updates

  • Small updates for various tools, including WdToggle and In-Phase Builder

Schedule a demo to learn more >

In-Phase Builder – Initial Access to the Max!

New tool in beta: In-Phase Builder

  • This is an incredibly powerful framework for generating and working with file formats and is easily extendible.

  • Each file format transformation has been implemented in the infection chain and optimized for OPSEC.

  • Chains include new tradecraft to decrease the number of warnings/popups a victim will see or change some popups to less scary ones.

  • The tool incorporates our research and full weaponisation of an initial infection file format that has less stringent browser controls and Mark-of-the-Web blocks than most known formats.

    Schedule a demo to learn more >

New SpawnAs and UAC Bypass Features in Stage1

Stage 1

  • Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass

PE Payload Generator, Stage 1, and ShovelNG

New Misc Tools, Relaying Research and Quality of Life Updates

 

EDR Evasion

  • Evasive features ported towards ShovelNG for lateral movement

  • Additions of new EDR presets

Stage1

  • Major performance enhancement of SOCKS

Misc Features and Updates

  • New Keylogger and capability for remote command execution over WSMan

  • Inclusion of new relaying research

  • Updates to several tools to support new Windows versions, features, bugfixes, etc

Schedule a demo to learn more >

Mega EDR Fine Tuning and Bypass Release

 

  • This release is the result of several man-months of research on stealthiness and evasion.

  • OST tools PE Payload Generator, Stage 1 C2, and Lateral Pack’s Shovel NG are now even better equipped to bypass major EDRs as a result of tweaked remote process injection techniques, smarter unhooking, and a new sleep mask.

    Schedule a demo to learn more >

EDR Evasion, Tech Deep Dive, and Bugfix Release

 

  • EDR info has been extended and presets are now available for a total of six major EDRs.

  • A cheat sheet is now available for the “OPSEC tricks for attacking Azure AD with ROADtools” recording.

  • Numerous small bugfixes have been implemented.

Schedule a demo to learn more >

PowerShell Tradecraft and New OPSEC Features

Tool category: PowerShell Tradecraft

  • PSPipeJack: This new tool uses a novel lateral movement technique for abusing tricks in Powershell, bringing back PowerShell for red teamers. It can be used as dedicated tool, both in Stage 1 C2 or in Cobalt Strike.

  • PowerShell support has been added to Stage 1 C2 with obvious security bypasses.

Schedule a demo to learn more >

Tech Deep Dive and new EDR presets

Tech DeepDive Recording

  • Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.

EDR Evasion / Payload generator & documentation

  • Two new PE Payload Generator EDR presets.

Schedule a demo to learn more >

Major Updates for EDR Evasion

 

Updates:

Tool category: EDR Evasion/Payload Generator/Documentation

Payload Generator:Payload generator now provides guidance on configuration options for specific EDRs.

• Documentation enhanced with technical details on evasion, strategies and how to best use OST.

• Minor bugfixes for Stage 1 and EvilClicky

 

Schedule a demo to learn more >

2023

Updates to Hidden Desktop and Stage 1

 

Updates:

Tool category: Out-phase/Exfiltration

Hidden Desktop: Complete rewrite, BOF format and various new functionality

• New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)

 

Schedule a demo to learn more >

New Exploit Release: Ivanti Secure Access VPN Client

 
 

Tool category: Privilege Escalation/Misc

• Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc

 

Schedule a demo to learn more >

Updates to ShovelNG and Cloud OPSEC Session

 

Updates:

Tool Category: Lateral Movement

• Enhanced ShovelNG (lateral movement) for increased evasion/OPSEC

Knowledge Sharing:

Category: Cloud OPSEC

Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema

Schedule a demo to learn more >

Sleep Mask Additions & New C2 Tools

 

Tool category: Command & Control

•  Stage 1 new configurable Sleep Masks

•  Cobalt Strike Integrations update: New evasive Sleep Mask added

 

Updates:

•  Outflank C2 Tool Collection updates including 3 new tools

•  Extended support for arbitrary .NET projects

 

Schedule a demo to learn more >

 

New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask

 

Tool category: Command & Control

 

Schedule a demo to learn more >

New Tool Release: regcertipy & Updates to Kerneltool

 

Tool category: Internal Recon

•   New tool release: regcertipy – identifying certificate templates via registry updates

 

Updates:

•   Updated Kerneltool with additional supported kernel/OS versions

 

Schedule a demo to learn more >

Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers

 

Release type: Knowledge Sharing

•   Added Tech Deep Dive video on Stage 1 automation
•   Added Tech Deep Dive video on Windows Kernel Drivers

 

Schedule a demo to learn more >

Updates to PE Payload Generator & Cobalt Strike Integration UDRL

 

Release type: Updates

•   PE Payload Generator now has a new loader with favorable OPSEC properties
•   Cobalt Strike Integration UDRL added new loader, and added YARA bypass information

 

Schedule a demo to learn more >

Updates to PE Payload Generator, KernelTool & Kernelkatz

 

Release type: Updates

•   PE Payload Generator now supports .node files
•   KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
•   KernelTool support for DSE disabling
•   KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support

 

Release type: Knowledge Sharing

•  Added ClockOnce video to Tech DeepDive section

Schedule a demo to learn more >

New tool release: Stage1 v2.4.0

 

Tool category: Command & Control

•  New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements

 

Schedule a demo to learn more >

New tool release: Cobalt Strike Integrations on UDRL

 

Tool category: Command & Control

•   New tool release: Cobalt Strike Integrations on User Defined Reflective Loader

 

Schedule a demo to learn more >

Q2 2023 Update Review

 

Release type: Knowledge Sharing

•  Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023

 

Schedule a demo to learn more >

New Tool Release: EvilClicky – ClickOnce Payload Generator

 

Tool category: Initial Access

 

Schedule a demo to learn more >

New Tool Release: KernelKatz

 

Tool category: Credential dumping

•  New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver

 

Schedule a demo to learn more >

New Tool Release: DumpMstsc & Updates to KerberosAsk, KernelTool, ShovelNG

 

Tool category: Credential dumping

•  New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process

Updates:

•  New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)

 

Schedule a demo to learn more >

Updates to Stage 1 & Opsec/Evasion

 

Tool category: Command & Control

Stage 1 new commands & opsec/evasion updates

 

Schedule a demo to learn more >

Session on EDR Evasion & Opsec

 

Release type: Knowledge Sharing

•  Sharing: session on EDR Evasion & Opsec, recording is available in portal

 

Schedule a demo to learn more >

Q1 2023 Update Review

 

Release type: Knowledge Sharing

• Q1 2023 update review, walkthrough of most important additions of OST updates in Q1 2023

 

Schedule a demo to learn more >

New Tool Release: RPC and Registry Tradecraft

 

Tool category: Internal Recon

• New tool release RPC and Registry Tradecraft: collection of scripts related to RPC and Windows Registry trickery

 

Schedule a demo to learn more >

New Tool Release: SideloadTrigger & Updates to Payload Generator, KerberoasAsk

 

Tool category: Privilege Escalation

•  New tool release SideloadTrigger: a BOF used for privesc abusing writeable paths

Updates:

•  Payload Generator now has new loaders and ‘predefined payloads’
•  KerberoasAsk support for pfx files, PasswordSpy

 

Schedule a demo to learn more >

Updates: Various cleanup and smaller bug fixed

 

Release type: Updates

•  Various cleanup and smaller bug fixed

 

Schedule a demo to learn more >

New tool release: Stage1 v2.0.0

 

Tool category: Command & Control

•  New tool release: Stage 1 v2.0.0, a major overhaull of the Stage1 C2 framework

 

 

Schedule a demo to learn more >

Session on latest research ‘The Registry Rundown for Red Teams’

 

Release type: Knowledge Sharing

•   Session on latest research ‘The Registry Rundown for Red Teams’

 

 

Schedule a demo to learn more >

Updates to Payload Generator

 

Release type: Updates

•   Payload Generator now also supports DripMemory & ROP Gadgets for EDR evasion

 

 

Schedule a demo to learn more >

New Tool Release: KernelTool & Updates to KerberosAsk

 

Tool category: Kernel Trickery

•  New tool release KernelTool: EDR blinding by modifying precoss details abusing a vulnerable driver

Updates:

•  KerberosAsk updates allowing for tgtdeleg and S4u

 

Schedule a demo to learn more >

ShovelNG (Lateral Pack) upgraded with new loaders

 

Release type: Updates

•  ShovelNG (Lateral Pack) upgraded with new loaders

 

Schedule a demo to learn more >