Outflank Security Tooling (OST) is dedicated to staying up to date on the latest trends, threats, and techniques. With its innovative cloud delivery platform, OST is designed to maintain a steady development pace, with an average release of one-to-two new tools per quarter as well as regular updates to enhance existing tools. This timeline provides an up-to-date record of our ongoing advancements and includes not only new releases and updates, but also other activities that the research team engages in, such as knowledge sharing sessions that discuss tradecraft, evasion, and other relevant topics.
OST RELEASES
Cobalt Strike 4.11.1 Support
BeaconBooster
-
Support added for Cobalt Strike 4.11.1
Outflank C2
-
Small bug fixes for Blind ETW on start and in Clipmon from OC2 Async Pack
Schedule a demo to learn more >
Outflank C2: Asynchronous Task Support
Outflank C2
Asynchronous task support
- Though BOFs were previously designed for synchronous operations, operators can now to roll out a network of sensors and stream these events to the C2 server for further processing – all while the implant is sleepmasked
Outflank C2 Async BOF Pack
- This can monitor for various events, with an initial release consisting of four monitoring BOFs:
- Usermon: Monitor and record user login events. Every login is recorded and printed
- Procmon: Monitor for a specific application start
- Clipmon: Monitor the clipboard, recording every new text copy
- Keylogger: Record all entered keystrokes, including key modifiers and special keys
- Usermon: Monitor and record user login events. Every login is recorded and printed
Bugfixes
- Numerous bugfixes and minor improvements for payload generator, Ceaconbooster, languagePanda
Schedule a demo to learn more >
Revamped Portal for OST Docs
OST Portal
-
Users can now add new content and make edits to existing content that will be shared with the OST community
New Documentation Portal
-
Revised structure of documentation
-
Search function and dark mode added
Schedule a demo to learn more >
ShovelNG: Bring Your Own Execution Context (BYOEC)
ShovelNG
-
With Bring your own Execution Context (BYOEC), it is now possible to configure ShovelNG to upload your own .exe to be used as execution context instead of one of the currently available LOLBINS
-
Added 5 pre-configured Execution Contexts
-
Additional execution configurations soon to come
Schedule a demo to learn more >
Configurable Proxy Support for Outflank C2 and Misc Updates
Outflank C2
-
Configurable proxy support has been added for both Windows as well as Linux/macOS implants. The implant will try this configurable option after direct and system/user proxy fails
-
Small bugfixes for BOFs and process creation
PE Payload Generator
-
RC4 encryption has been added and guidance for payload configuration has been updated
-
Small bugfix for EarlyBird/Cascade injection
RoadTune
-
App Store installable apps are now supported.
-
Install commands are not shown for apps by the IME client
-
Improvements for retrieval of user-scoped policies and assignments
KernelTool
-
Improved offset resolving
Schedule a demo to learn more >
Portal Quality of Life Update
Portal
-
This Portal update will bring many small changes to make usage and build flows more convenient, including the introduction of Evil-O-4000, who will now help and guide you, providing:
-
Input validation errors in PE Payload Generator
-
Inconsistencies/warnings between Outflank C2 and PE Payload Generator settings
-
Confirmation of input validation
-
Miscellaneous Bugfixes
-
Fixes for Outflank C2, PE Payload Generator, and EarlyCascade
Schedule a demo to learn more >
Red Team Management Tech DeepDive recording
Red Team Management Tech DeepDive recording
-
Covering the non-technical part of red teaming, this DeepDive covers test plans, reporting, meetings with stakeholders, trust building, planning, and more.
BeaconBooster
- Added compatibility for Cobalt Strike 4.11 release
Schedule a demo to learn more >
OC2: Secure Enclave Sleep Mask, New BOF loader, Guardrail Updates, New AMSI bypass
Outflank C2
-
New Enclave Sleep Mask added
-
New AMSI bypass: Novel data-only bypass
-
New BOF loader: Overhauled for increased flexibility and performance
-
Guardrails: Anti-sandbox guardrails now aligned with Payload Generator to provide same options and protection
PE Payload Generator
-
Cross product configuration checks added
EDR Presets
-
New community contributed EDR preset added
Schedule a demo to learn more >
New Sleep Mask & Updates for Outflank C2, Payload Generator, Portal
BeaconBooster
-
New Enclave Sleep Mask added, based on research by Cedric Van Bockhaven and Matteo Malvica
-
x86 exception handling support added (also added to Outflank C2)
Outflank C2
-
APC dispatcher trickery added
-
Maximum attempt counter added to forwarded messages
PE Payload Generator
-
Input validation box updated to show direct feedback
OST Portal
-
Help icon deeplinks added to navigate directly to the corresponding item in documentation
Schedule a demo to learn more >
New Tech Deep Dive & Preset
Tech Deep Dive
-
Recording of the Secure Enclaves knowledge sharing session added to portal:
– Deep dive into architecture of VBS enclaves
– Full walkthrough demo with practical techniques for existing vulnerable enclave DLLs
EDR Presets
-
New community contributed EDR preset added
Schedule a demo to learn more >
Outflank C2, New Tech Deep Dive, HiddenDesktop
Outflank C2
-
New Sleep Mask options added, ao allowing to configure the sleep thread state
-
Dynamic configuration of macOS implant proxy settings
-
Smaller tuning and bug fixes
Tech Deep Dive
-
Recording of the ROADtune knowledge sharing session added to portal:
– Deep dive into Intune and ROADtune
– Full walkthrough demo of PhisherPrice plus ROADtune
HiddenDesktop
-
Bugfix for uncommon screen resolutions
Schedule a demo to learn more >
Cloudpack, Outflank C2, and EDR Updates
Cloudpack
-
ROADTune bugfix and additions
-
PhisherPrice now supports token resource tokens
-
Extra documentation
Outflank C2 Updates
-
BOF loader is now able to deal with BOFs BeaconPrintf-ing binary buffers from BOFs that aren’t programmed nicely
-
System proxy support for Linux and macOS
-
Several small bug fixes on additional HTTP headers
EDR Updates and Documentation
-
Added 2 new EDR presets
-
Improved OPSEC documentation
Schedule a demo to learn more >
Major OPSEC Update, New Loaders, and Outflank C2 Implant
New Loaders
-
4 new loaders in PE Payload Generator
BIG OPSEC Update
-
Full threat stack spoofing implemented on all system calls in the stagers, implant, and reflective loader
-
EarlyCascade update
-
Windows CET compatibility update
-
EDR finetuning for new EDRs
Outflank C2 Implant Update
-
Improved linked implants for DeepSleep
-
Added automatic user agent detection
-
Implemented extra guardrails
Schedule a demo to learn more >
Evasion Improvements and Bugfix Release
Updates
-
Evasion improvement for PasswordSpy
-
Bugfix for ROADtune Android support
-
Bugfix for lateral movement via Shovel
Schedule a demo to learn more >
Linux and macOS Improvements
New Knowledge Session
-
Released a tech deepdive on macOS and Linux operations with OST
Updates
-
Fully static Linux implant, allowing it to function on a wide range of systems
Schedule a demo to learn more >
Guardrails and Anti-sandboxing
Updates
Improvement on the guardrail requirements to avoid sandbox analysis
Schedule a demo to learn more >
New Tool Release: RoadTune
RoadTune
-
New tool for offensive Intune operations
-
Can emulate multiple device types, fake compliance and retrieve Intune packages for offline analysis
Updates
-
Enhancements to KernelKatz, FakeRansom and evasion presets
Schedule a demo to learn more >
New Knowledge Session
Tradecraft
-
Knowledge session on MS defender static detections now available on portal
Updates
-
Overall quality of life improvements & smaller bug fixes
Schedule a demo to learn more >
EarlyCascade Extension and More
EarlyCascade – Extension
-
EarlyCascade injection is now also available in Outflank C2 (formerly Stage1) and ShovelNG
Outflank C2 & PE Payload Generator
-
New options and GUI improvements to allow more operator flexibility
Evasion
-
Added 5 new community contributed EDR presets
Schedule a demo to learn more >
EarlyCascade Injection in Payload Generator
EarlyCascade Injection in Payload Generator
-
Added a novel injection technique called ‘EarlyCascade’
-
Added ‘freeze’ as a new process creation method
-
New ‘Embed in section’ option
-
Relative local paths are now supported
Updates
-
Bugfixes in Payload Generator, Outflank C2 (formerly Stage1), and in the OST portal
Schedule a demo to learn more >
BeaconBooster CS 4.10 Compatibility
BeaconBooster CS 4.10 Compatibility
-
Updated Beacon Booster’s Sleep Masks for compatibility with the new version of Cobalt Strike
-
Added address spoofing for Beacon Gate
Schedule a demo to learn more >
Outflank C2: New macOS & Linux implants
Outflank C2: New Name & New Features
-
Native Implants: Tailored for each OS, both implants are written in C/C++/ASM
-
Full Implant Capabilities: Dynamic Execution (BOF/JXA), network tunneling, http & tcp beacons
-
Guardrails & High OPSEC: Our research into macOS & Linux EDR was incorporated in developing the implant
-
In-Phase Builder: Capabilities to generate/transform raw shellcode in various macOS or Linux formats
-
Stage1 has been renamed Outflank C2
Schedule a demo to learn more >
PhisherPrice: OST Attacks the Cloud!
New Tool Release: PhisherPrice
-
This new tool adds to OST capabilities for attacking EntraID device code flow.
Updates
-
Bugfixes
-
Various infrastructure changes
Schedule a demo to learn more >
New EDR Presets, (OPSEC) Improvements & Bugfixes
PE Payload Generator:
-
4 New EDR presets (community contributions)
In-Phase Builder
-
Updated .Net shellcode loader as follow-up after the Elsatic Blog
Stage1 C2
-
Update for KernelCallbackTables injection and Module Stomping
-
Bugfixes
BeaconBooster
-
Implemented evasion for Windows Defender Emulator
Schedule a demo to learn more >
Updates to C2 Tool Collection and Bugfixes
CreateService BOF
-
New BOF for creating/stopping/deleting services
Updates
-
Small updates for various tools, including WdToggle and In-Phase Builder
Schedule a demo to learn more >
In-Phase Builder – Initial Access to the Max!
New tool in beta: In-Phase Builder
-
This is an incredibly powerful framework for generating and working with file formats and is easily extendible.
-
Each file format transformation has been implemented in the infection chain and optimized for OPSEC.
-
Chains include new tradecraft to decrease the number of warnings/popups a victim will see or change some popups to less scary ones.
-
The tool incorporates our research and full weaponisation of an initial infection file format that has less stringent browser controls and Mark-of-the-Web blocks than most known formats.
Schedule a demo to learn more >
New SpawnAs and UAC Bypass Features in Stage1
Stage 1
-
Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass
PE Payload Generator, Stage 1, and ShovelNG
-
Various quality of life updates
-
Enhanced OPSEC: Evading EDR emulation
Schedule a demo to learn more >
New Misc Tools, Relaying Research and Quality of Life Updates
EDR Evasion
-
Evasive features ported towards ShovelNG for lateral movement
-
Additions of new EDR presets
Stage1
-
Major performance enhancement of SOCKS
Misc Features and Updates
-
New Keylogger and capability for remote command execution over WSMan
-
Inclusion of new relaying research
-
Updates to several tools to support new Windows versions, features, bugfixes, etc
Schedule a demo to learn more >
Mega EDR Fine Tuning and Bypass Release
-
This release is the result of several man-months of research on stealthiness and evasion.
-
OST tools PE Payload Generator, Stage 1 C2, and Lateral Pack’s Shovel NG are now even better equipped to bypass major EDRs as a result of tweaked remote process injection techniques, smarter unhooking, and a new sleep mask.
Schedule a demo to learn more >
EDR Evasion, Tech Deep Dive, and Bugfix Release
-
EDR info has been extended and presets are now available for a total of six major EDRs.
-
A cheat sheet is now available for the “OPSEC tricks for attacking Azure AD with ROADtools” recording.
-
Numerous small bugfixes have been implemented.
Schedule a demo to learn more >
PowerShell Tradecraft and New OPSEC Features
Tool category: PowerShell Tradecraft
-
PSPipeJack: This new tool uses a novel lateral movement technique for abusing tricks in Powershell, bringing back PowerShell for red teamers. It can be used as dedicated tool, both in Stage 1 C2 or in Cobalt Strike.
-
PowerShell support has been added to Stage 1 C2 with obvious security bypasses.
Schedule a demo to learn more >
Tech Deep Dive and new EDR presets
Tech DeepDive Recording
-
Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.
EDR Evasion / Payload generator & documentation
-
Two new PE Payload Generator EDR presets.
Schedule a demo to learn more >
Major Updates for EDR Evasion
Updates:
Tool category: EDR Evasion/Payload Generator/Documentation
• Payload Generator:Payload generator now provides guidance on configuration options for specific EDRs.
• Documentation enhanced with technical details on evasion, strategies and how to best use OST.
• Minor bugfixes for Stage 1 and EvilClicky
Schedule a demo to learn more >
Updates to Hidden Desktop and Stage 1
Updates:
Tool category: Out-phase/Exfiltration
• Hidden Desktop: Complete rewrite, BOF format and various new functionality
• New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)
Schedule a demo to learn more >
New Exploit Release: Ivanti Secure Access VPN Client
Tool category: Privilege Escalation/Misc
• Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc
Schedule a demo to learn more >
Updates to ShovelNG and Cloud OPSEC Session
Updates:
Tool Category: Lateral Movement
• Enhanced ShovelNG (lateral movement) for increased evasion/OPSEC
Knowledge Sharing:
Category: Cloud OPSEC
• Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema
Schedule a demo to learn more >
Sleep Mask Additions & New C2 Tools
Tool category: Command & Control
• Stage 1 new configurable Sleep Masks
• Cobalt Strike Integrations update: New evasive Sleep Mask added
Updates:
• Outflank C2 Tool Collection updates including 3 new tools
• Extended support for arbitrary .NET projects
Schedule a demo to learn more >
New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask
New Tool Release: regcertipy & Updates to Kerneltool
Tool category: Internal Recon
• New tool release: regcertipy – identifying certificate templates via registry updates
Updates:
• Updated Kerneltool with additional supported kernel/OS versions
Schedule a demo to learn more >
Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers
Release type: Knowledge Sharing
• Added Tech Deep Dive video on Stage 1 automation
• Added Tech Deep Dive video on Windows Kernel Drivers
Schedule a demo to learn more >
Updates to PE Payload Generator & Cobalt Strike Integration UDRL
Release type: Updates
• PE Payload Generator now has a new loader with favorable OPSEC properties
• Cobalt Strike Integration UDRL added new loader, and added YARA bypass information
Schedule a demo to learn more >
Updates to PE Payload Generator, KernelTool & Kernelkatz
Release type: Updates
• PE Payload Generator now supports .node files
• KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
• KernelTool support for DSE disabling
• KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support
Release type: Knowledge Sharing
• Added ClockOnce video to Tech DeepDive section
Schedule a demo to learn more >
New tool release: Stage1 v2.4.0
Tool category: Command & Control
• New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements
Schedule a demo to learn more >
New tool release: Cobalt Strike Integrations on UDRL
Tool category: Command & Control
• New tool release: Cobalt Strike Integrations on User Defined Reflective Loader
Schedule a demo to learn more >
Q2 2023 Update Review
Release type: Knowledge Sharing
• Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023
Schedule a demo to learn more >
New Tool Release: EvilClicky – ClickOnce Payload Generator
New Tool Release: KernelKatz
Tool category: Credential dumping
• New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver
Schedule a demo to learn more >
New Tool Release: DumpMstsc & Updates to KerberosAsk, KernelTool, ShovelNG
Tool category: Credential dumping
• New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process
Updates:
• New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)
Schedule a demo to learn more >
Updates to Stage 1 & Opsec/Evasion
Tool category: Command & Control
• Stage 1 new commands & opsec/evasion updates
Schedule a demo to learn more >
Session on EDR Evasion & Opsec
Release type: Knowledge Sharing
• Sharing: session on EDR Evasion & Opsec, recording is available in portal