Outflank Security Tooling (OST) is dedicated to staying up to date on the latest trends, threats, and techniques. With its innovative cloud delivery platform, OST is designed to maintain a steady development pace, with an average release of one-to-two new tools per quarter as well as regular updates to enhance existing tools. This timeline provides an up-to-date record of our ongoing advancements and includes not only new releases and updates, but also other activities that the research team engages in, such as knowledge sharing sessions that discuss tradecraft, evasion, and other relevant topics.
OST RELEASES
New Knowledge Session
Tradecraft
-
Knowledge session on MS defender static detections now available on portal
Updates
-
Overall quality of life improvements & smaller bug fixes
Schedule a demo to learn more >
EarlyCascade Extension and More
EarlyCascade – Extension
-
EarlyCascade injection is now also available in Outflank C2 (formerly Stage1) and ShovelNG
Outflank C2 & PE Payload Generator
-
New options and GUI improvements to allow more operator flexibility
Evasion
-
Added 5 new community contributed EDR presets
Schedule a demo to learn more >
EarlyCascade Injection in Payload Generator
EarlyCascade Injection in Payload Generator
-
Added a novel injection technique called ‘EarlyCascade’
-
Added ‘freeze’ as a new process creation method
-
New ‘Embed in section’ option
-
Relative local paths are now supported
Updates
-
Bugfixes in Payload Generator, Outflank C2 (formerly Stage1), and in the OST portal
Schedule a demo to learn more >
BeaconBooster CS 4.10 Compatibility
BeaconBooster CS 4.10 Compatibility
-
Updated Beacon Booster’s Sleep Masks for compatibility with the new version of Cobalt Strike
-
Added address spoofing for Beacon Gate
Schedule a demo to learn more >
Outflank C2: New macOS & Linux implants
Outflank C2: New Name & New Features
-
Native Implants: Tailored for each OS, both implants are written in C/C++/ASM
-
Full Implant Capabilities: Dynamic Execution (BOF/JXA), network tunneling, http & tcp beacons
-
Guardrails & High OPSEC: Our research into macOS & Linux EDR was incorporated in developing the implant
-
In-Phase Builder: Capabilities to generate/transform raw shellcode in various macOS or Linux formats
-
Stage1 has been renamed Outflank C2
Schedule a demo to learn more >
PhisherPrice: OST Attacks the Cloud!
New Tool Release: PhisherPrice
-
This new tool adds to OST capabilities for attacking EntraID device code flow.
Updates
-
Bugfixes
-
Various infrastructure changes
Schedule a demo to learn more >
Updates for Stage1 and Cobalt Strike UDRL
Evasion
-
Windows Defender sandbox detection for Cobalt Strike and Stage 1
Stage1 C2
-
Update for KernelCallbackTables injection and Module Stomping
Web Portal
-
Bugfix
Schedule a demo to learn more >
New EDR Presets & Bugfix
Payload Generator
-
4 new EDR presets (community contributions)
Stage 1 C2
-
Bugfix
Schedule a demo to learn more >
Updates to C2 Tool Collection and Bugfixes
CreateService BOF
-
New BOF for creating/stopping/deleting services
Updates
-
Small updates for various tools, including WdToggle and In-Phase Builder
Schedule a demo to learn more >
In-Phase Builder – Initial Access to the Max!
New tool in beta: In-Phase Builder
-
This is an incredibly powerful framework for generating and working with file formats and is easily extendible.
-
Each file format transformation has been implemented in the infection chain and optimized for OPSEC.
-
Chains include new tradecraft to decrease the number of warnings/popups a victim will see or change some popups to less scary ones.
-
The tool incorporates our research and full weaponisation of an initial infection file format that has less stringent browser controls and Mark-of-the-Web blocks than most known formats.
Schedule a demo to learn more >
New SpawnAs and UAC Bypass Features in Stage1
Stage 1
-
Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass
PE Payload Generator, Stage 1, and ShovelNG
-
Various quality of life updates
-
Enhanced OPSEC: Evading EDR emulation
Schedule a demo to learn more >
New Misc Tools, Relaying Research and Quality of Life Updates
EDR Evasion
-
Evasive features ported towards ShovelNG for lateral movement
-
Additions of new EDR presets
Stage1
-
Major performance enhancement of SOCKS
Misc Features and Updates
-
New Keylogger and capability for remote command execution over WSMan
-
Inclusion of new relaying research
-
Updates to several tools to support new Windows versions, features, bugfixes, etc
Schedule a demo to learn more >
Mega EDR Fine Tuning and Bypass Release
-
This release is the result of several man-months of research on stealthiness and evasion.
-
OST tools PE Payload Generator, Stage 1 C2, and Lateral Pack’s Shovel NG are now even better equipped to bypass major EDRs as a result of tweaked remote process injection techniques, smarter unhooking, and a new sleep mask.
Schedule a demo to learn more >
EDR Evasion, Tech Deep Dive, and Bugfix Release
-
EDR info has been extended and presets are now available for a total of six major EDRs.
-
A cheat sheet is now available for the “OPSEC tricks for attacking Azure AD with ROADtools” recording.
-
Numerous small bugfixes have been implemented.
Schedule a demo to learn more >
PowerShell Tradecraft and New OPSEC Features
Tool category: PowerShell Tradecraft
-
PSPipeJack: This new tool uses a novel lateral movement technique for abusing tricks in Powershell, bringing back PowerShell for red teamers. It can be used as dedicated tool, both in Stage 1 C2 or in Cobalt Strike.
-
PowerShell support has been added to Stage 1 C2 with obvious security bypasses.
Schedule a demo to learn more >
Tech Deep Dive and new EDR presets
Tech DeepDive Recording
-
Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.
EDR Evasion / Payload generator & documentation
-
Two new PE Payload Generator EDR presets.
Schedule a demo to learn more >
Major Updates for EDR Evasion
Updates:
Tool category: EDR Evasion/Payload Generator/Documentation
• Payload Generator:Payload generator now provides guidance on configuration options for specific EDRs.
• Documentation enhanced with technical details on evasion, strategies and how to best use OST.
• Minor bugfixes for Stage 1 and EvilClicky
Schedule a demo to learn more >
Updates to Hidden Desktop and Stage 1
Updates:
Tool category: Out-phase/Exfiltration
• Hidden Desktop: Complete rewrite, BOF format and various new functionality
• New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)
Schedule a demo to learn more >
New Exploit Release: Ivanti Secure Access VPN Client
Tool category: Privilege Escalation/Misc
• Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc
Schedule a demo to learn more >
Updates to ShovelNG and Cloud OPSEC Session
Updates:
Tool Category: Lateral Movement
• Enhanced ShovelNG (lateral movement) for increased evasion/OPSEC
Knowledge Sharing:
Category: Cloud OPSEC
• Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema
Schedule a demo to learn more >
Sleep Mask Additions & New C2 Tools
Tool category: Command & Control
• Stage 1 new configurable Sleep Masks
• Cobalt Strike Integrations update: New evasive Sleep Mask added
Updates:
• Outflank C2 Tool Collection updates including 3 new tools
• Extended support for arbitrary .NET projects
Schedule a demo to learn more >
New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask
New Tool Release: regcertipy & Updates to Kerneltool
Tool category: Internal Recon
• New tool release: regcertipy – identifying certificate templates via registry updates
Updates:
• Updated Kerneltool with additional supported kernel/OS versions
Schedule a demo to learn more >
Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers
Release type: Knowledge Sharing
• Added Tech Deep Dive video on Stage 1 automation
• Added Tech Deep Dive video on Windows Kernel Drivers
Schedule a demo to learn more >
Updates to PE Payload Generator & Cobalt Strike Integration UDRL
Release type: Updates
• PE Payload Generator now has a new loader with favorable OPSEC properties
• Cobalt Strike Integration UDRL added new loader, and added YARA bypass information
Schedule a demo to learn more >
Updates to PE Payload Generator, KernelTool & Kernelkatz
Release type: Updates
• PE Payload Generator now supports .node files
• KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
• KernelTool support for DSE disabling
• KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support
Release type: Knowledge Sharing
• Added ClockOnce video to Tech DeepDive section
Schedule a demo to learn more >
New tool release: Stage1 v2.4.0
Tool category: Command & Control
• New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements
Schedule a demo to learn more >
New tool release: Cobalt Strike Integrations on UDRL
Tool category: Command & Control
• New tool release: Cobalt Strike Integrations on User Defined Reflective Loader
Schedule a demo to learn more >
Q2 2023 Update Review
Release type: Knowledge Sharing
• Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023
Schedule a demo to learn more >
New Tool Release: EvilClicky – ClickOnce Payload Generator
New Tool Release: KernelKatz
Tool category: Credential dumping
• New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver
Schedule a demo to learn more >
New Tool Release: DumpMstsc & Updates to KerberosAsk, KernelTool, ShovelNG
Tool category: Credential dumping
• New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process
Updates:
• New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)
Schedule a demo to learn more >
Updates to Stage 1 & Opsec/Evasion
Tool category: Command & Control
• Stage 1 new commands & opsec/evasion updates
Schedule a demo to learn more >
Session on EDR Evasion & Opsec
Release type: Knowledge Sharing
• Sharing: session on EDR Evasion & Opsec, recording is available in portal
Schedule a demo to learn more >
Q1 2023 Update Review
Release type: Knowledge Sharing
• Q1 2023 update review, walkthrough of most important additions of OST updates in Q1 2023
Schedule a demo to learn more >
New Tool Release: RPC and Registry Tradecraft
Tool category: Internal Recon
• New tool release RPC and Registry Tradecraft: collection of scripts related to RPC and Windows Registry trickery
Schedule a demo to learn more >
New Tool Release: SideloadTrigger & Updates to Payload Generator, KerberoasAsk
Tool category: Privilege Escalation
• New tool release SideloadTrigger: a BOF used for privesc abusing writeable paths
Updates:
• Payload Generator now has new loaders and ‘predefined payloads’
• KerberoasAsk support for pfx files, PasswordSpy
Schedule a demo to learn more >
Updates: Various cleanup and smaller bug fixed
New tool release: Stage1 v2.0.0
Tool category: Command & Control
• New tool release: Stage 1 v2.0.0, a major overhaull of the Stage1 C2 framework
Schedule a demo to learn more >
Session on latest research ‘The Registry Rundown for Red Teams’
Release type: Knowledge Sharing
• Session on latest research ‘The Registry Rundown for Red Teams’
Schedule a demo to learn more >
Updates to Payload Generator
Release type: Updates
• Payload Generator now also supports DripMemory & ROP Gadgets for EDR evasion
Schedule a demo to learn more >
New Tool Release: KernelTool & Updates to KerberosAsk
Tool category: Kernel Trickery
• New tool release KernelTool: EDR blinding by modifying precoss details abusing a vulnerable driver
Updates:
• KerberosAsk updates allowing for tgtdeleg and S4u
Schedule a demo to learn more >
ShovelNG (Lateral Pack) upgraded with new loaders
Release type: Updates
• ShovelNG (Lateral Pack) upgraded with new loaders