Outflank Security Tooling (OST) Releases

Outflank Security Tooling (OST) is dedicated to staying up to date on the latest trends, threats, and techniques. With its innovative cloud delivery platform, OST is designed to maintain a steady development pace, with an average release of one-to-two new tools per quarter as well as regular updates to enhance existing tools. This timeline provides an up-to-date record of our ongoing advancements and includes not only new releases and updates, but also other activities that the research team engages in, such as knowledge sharing sessions that discuss tradecraft, evasion,
and other relevant topics.

OST RELEASES

2024

PowerShell Tradecraft and New OPSEC Features

Tool category: PowerShell Tradecraft

• PSPipeJack is a novel lateral movement technique that can attach to existing named pipes of PowerShell processes remotely using SMB.

• Local PowerShell enables local execution of PowerShell for Stage1. Local PowerShell execution benefits from local AMSI, ETW and Script Block Logging bypasses.

Tool category: Command & Control

Stage 1 server now supports modal dialogs depending on command arguments.

• Support added for PowerShell execution in Stage1.

Schedule a demo to learn more >

Major Updates for EDR Evasion

 

Updates:

Tool category: EDR Evasion/Payload Generator/Documentation

Payload Generator:Payload generator now provides guidance on configuration options for specific EDRs.

• Documentation enhanced with technical details on evasion, strategies and how to best use OST.

• Minor bugfixes for Stage 1 and EvilClicky

 

Schedule a demo to learn more >

2023

Updates to Hidden Desktop and Stage 1

 

Updates:

Tool category: Out-phase/Exfiltration

Hidden Desktop: Complete rewrite, BOF format and various new functionality

• New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)

 

Schedule a demo to learn more >

New Exploit Release: Ivanti Secure Access VPN Client

 
 

Tool category: Privilege Escalation/Misc

• Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc

 

Schedule a demo to learn more >

Updates to ShovelNG and Cloud OPSEC Session

 

Updates:

Tool Category: Lateral Movement

• Enhanced ShovelNG (lateral movement) for increased evasion/OPSEC

Knowledge Sharing:

Category: Cloud OPSEC

• Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema

Schedule a demo to learn more >

Sleep Mask Additions & New C2 Tools

 

Tool category: Command & Control

•  Stage 1 new configurable Sleep Masks

•  Cobalt Strike Integrations update: New evasive Sleep Mask added

 

Updates:

•  Outflank C2 Tool Collection updates including 3 new tools

•  Extended support for arbitrary .NET projects

 

Schedule a demo to learn more >

 

New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask

 

Tool category: Command & Control

 

Schedule a demo to learn more >

New Tool Release: regcertipy & Updates to Kerneltool

 

Tool category: Internal Recon

•   New tool release: regcertipy – identifying certificate templates via registry updates

 

Updates:

•   Updated Kerneltool with additional supported kernel/OS versions

 

Schedule a demo to learn more >

Tech Deep Dive Videos for Stage 1 & Windows Kernel Drivers

 

Release type: Knowledge Sharing

•   Added Tech Deep Dive video on Stage 1 automation
•   Added Tech Deep Dive video on Windows Kernel Drivers

 

Schedule a demo to learn more >

Updates to PE Payload Generator & Cobalt Strike Integration UDRL

 

Release type: Updates

•   PE Payload Generator now has a new loader with favorable OPSEC properties
•   Cobalt Strike Integration UDRL added new loader, and added YARA bypass information

 

Schedule a demo to learn more >

Updates to PE Payload Generator, KernelTool & Kernelkatz

 

Release type: Updates

•   PE Payload Generator now supports .node files
•   KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
•   KernelTool support for DSE disabling
•   KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support

 

Release type: Knowledge Sharing

•  Added ClockOnce video to Tech DeepDive section

Schedule a demo to learn more >

New tool release: Stage1 v2.4.0

 

Tool category: Command & Control

•  New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements

 

Schedule a demo to learn more >

New tool release: Cobalt Strike Integrations on UDRL

 

Tool category: Command & Control

•   New tool release: Cobalt Strike Integrations on User Defined Reflective Loader

 

Schedule a demo to learn more >

Q2 2023 Update Review

 

Release type: Knowledge Sharing

•  Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023

 

Schedule a demo to learn more >

New Tool Release: EvilClicky – ClickOnce Payload Generator

 

Tool category: Initial Access

 

Schedule a demo to learn more >

New Tool Release: KernelKatz

 

Tool category: Credential dumping

•  New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver

 

Schedule a demo to learn more >

New Tool Release: DumpMstsc & Updates to KerberosAsk, KernelTool, ShovelNG

 

Tool category: Credential dumping

•  New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process

Updates:

•  New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)

 

Schedule a demo to learn more >

Updates to Stage 1 & Opsec/Evasion

 

Tool category: Command & Control

Stage 1 new commands & opsec/evasion updates

 

Schedule a demo to learn more >

Session on EDR Evasion & Opsec

 

Release type: Knowledge Sharing

•  Sharing: session on EDR Evasion & Opsec, recording is available in portal

 

Schedule a demo to learn more >

Q1 2023 Update Review

 

Release type: Knowledge Sharing

• Q1 2023 update review, walkthrough of most important additions of OST updates in Q1 2023

 

Schedule a demo to learn more >

New Tool Release: RPC and Registry Tradecraft

 

Tool category: Internal Recon

• New tool release RPC and Registry Tradecraft: collection of scripts related to RPC and Windows Registry trickery

 

Schedule a demo to learn more >

New Tool Release: SideloadTrigger & Updates to Payload Generator, KerberoasAsk

 

Tool category: Privilege Escalation

•  New tool release SideloadTrigger: a BOF used for privesc abusing writeable paths

Updates:

•  Payload Generator now has new loaders and ‘predefined payloads’
•  KerberoasAsk support for pfx files, PasswordSpy

 

Schedule a demo to learn more >

Updates: Various cleanup and smaller bug fixed

 

Release type: Updates

•  Various cleanup and smaller bug fixed

 

Schedule a demo to learn more >

New tool release: Stage1 v2.0.0

 

Tool category: Command & Control

•  New tool release: Stage 1 v2.0.0, a major overhaull of the Stage1 C2 framework

 

 

Schedule a demo to learn more >

Session on latest research ‘The Registry Rundown for Red Teams’

 

Release type: Knowledge Sharing

•   Session on latest research ‘The Registry Rundown for Red Teams’

 

 

Schedule a demo to learn more >

Updates to Payload Generator

 

Release type: Updates

•   Payload Generator now also supports DripMemory & ROP Gadgets for EDR evasion

 

 

Schedule a demo to learn more >

New Tool Release: KernelTool & Updates to KerberosAsk

 

Tool category: Kernel Trickery

•  New tool release KernelTool: EDR blinding by modifying precoss details abusing a vulnerable driver

Updates:

•  KerberosAsk updates allowing for tgtdeleg and S4u

 

Schedule a demo to learn more >

ShovelNG (Lateral Pack) upgraded with new loaders

 

Release type: Updates

•  ShovelNG (Lateral Pack) upgraded with new loaders

 

Schedule a demo to learn more >