Outflank Security Tooling (OST)
This is a condensed version of the release notes. Full technical release notes with bug fixes and under-the-hood enhancements are available to OST customers via the portal.
September
11 September 2024
EarlyCascade Injection in Payload Generator
- Added a novel injection technique called 'EarlyCascade'.
- Added 'freeze' as a new process creation method.
- New 'Embed in section' option.
- Relative local paths are now supported.
Updates
- Bugfixes in Payload Generator, Outflank C2 (formerly Stage1), and in the OST portal.
August
19 August 2024
something here
BeaconBooster CS 4.10 Compatibility
- Updated Beacon Booster's Sleep Masks for compatibility with the new version of Cobalt Strike.
- Added address spoofing for Beacon Gate.
July
17 July 2024
New Tool Release: PhisherPrice
- This new tool adds to OST capabilities for attacking EntraID device code flow.
Updates
- Bugfixes in KerberosAsk
- Various infrastructure changes
3 July 2024
Evasion
-
Windows defender sandbox detection for Cobalt Strike and Stage1 C2.
Stage 1 C2
-
Update for KernelCallbackTables injection and Module Stomping.
-
Bugfix in webportal.
June 2024
25 June 2024
Payload Generator
- 4 new EDR presets (community contributions)
Stage 1 C2
- Bugfix
8 June 2024
Updates
- New CreateService BOF for creating, stopping, and deleting services.
- Updated various tools like WdToggle and In-phase builder.
May 2024
24 May 2024
Initial Access
- New tool release: In-Phase Builder (BETA) is a new tool for generating initial access payloads in different formats optimized for OPSEC.
8 May 2024
Command and Control
- Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass at Stage 1.
Updates
-
Enhanced OPSEC on PE Payload Generator, Stage1, and ShovelNG: evading EDR emulation.
-
Under the hood quality of life improvements and bug fixes.
April 2024
11 April 2024
EDR evasion
- Ported evasive features towards ShovelNG (Lateral movement) and addition of new EDR presets
Command & Control
- Major performance enhancement of Socks.
Updates
- New tool release: a Keylogger and capability for remote command execution over WSMan.
- Added a new relaying research.
- Updates to various Misc tools to support new Windows versions, features, bugfixes etc.
March 2024
20 March 2024
EDR Evasion
- This release is the result of several man-months of research on stealthiness and evasion.
- Due to tweaked remote process injection techniques, smarter unhooking and a new sleep mask, OST tools PE Payload Generator, Stage 1 C2 and Lateral Pack's Shovel NG are now even better equipped to bypass major EDRs.
7 March 2024
EDR evasion
- Extended EDR info and presets for now a total of 6 major EDRs.
- Added the cheat sheet of the 'OPSEC tricks for attacking Azure AD with ROADtools' recording.
Updates
- Under the hood improvements and bug fixes.
February 2024
19 February 2024
PowerShell Tradecraft and new OPSEC features:
- PSPipeJack: a new tool using a novel lateral movement technique abusing tricks in PowerShell that brings back PowerShell for red teamers. Can be used as dedicate tool, in Stage 1 C2 or in Cobalt Strike
- PowerShell support in Stage 1 C2 with obvious security bypasses
January 2024
31 January 2024
Tech DeepDive Recording
- Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.
EDR Evasion / Payload generator & documentation
- Two new PE Payload Generator EDR presets.
17 January 2024
EDR Evasion / Payload generator & documentation
- Payload generator provides guidance on configuration options for specific EDRs.
- Documentation enhanced with technical details on evasion, strategies and how to best use OST.
Updates:
- Minor bugfixes for Stage1 & EvilClicky.
December 2023
20 December 2023
Out-phase/Exfiltration
- HiddenDesktop v2: Complete rewrite, BOF format and various new functionality
- New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)
11 Decmber 2023
Misc / Privilege Escalation
- Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc
November 2023
29 November 2023
Lateral movement & Cloud
- Enhanced ShovelNG (lateral movement) for increased evasion/opsec
- Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema.
8 November 2023
Command & Control
- Stage 1 new configurable Sleep Masks
- Cobalt Strike Integrations update: New evasive Sleep Mask added
Updates
-
Outflank C2 Tool Collection updates including 3 new tools
-
Extended support for arbitrary .NET projects
October 2023
10 October 2023
Command & Control
- New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask
3 October 2023
Internal Recon
- New tool release: regcertipy - identifying certificate templates via registry Updates
- Updated Kerneltool with additional supported kernel/OS versions
September 2023
6 September 2023
Knowledge Sharing
- Added Tech Deep Dive video on Stage 1 automation
- Added Tech Deep Dive video on Windows Kernel Drivers
August 2023
16 August 2023
Updates
- PE Payload Generator now has a new loader with favorable OPSEC properties
- Cobalt Strike Integration UDRL added new loader, and added YARA bypass information
July 2023
26 July 2023
Updates
- PE Payload Generator now supports .node files
- KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
- kernelTool support for DSE disabling
- KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support
Knowledge Sharing
- added ClockOnce video to Tech DeepDive section
19 July 2023
Command & Control
- New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements
5 July 2023
Command & Control
- New tool release: Cobalt Strike Integrations on User Defined Reflective Loader
June 2023
26 June 2023
Knowledge Sharing
- Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023
21 June 2023
Initial Access
- New tool release EvilClicky: ClickOnce payload generator
May 2023
10 May 2023
Credential dumping
- New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver
April 2023
26 April 2023
Credential Dumping
- New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process
26 April 2023
Updates
- New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)
12 April 2023
Command & Control
- Stage 1 new commands & opsec/evasion updates
06 April 2023
Knowledge Sharing
- Sharing: session on EDR Evasion & Opsec, recording is available in portal
March 2023
16 March 2023
Knowledge Sharing
- Q1 2023 update review, walkthrough of most important additions of OST updates in Q1 2023
12 March 2023
Internal Recon
- New tool release RPC and Registry Tradecraft: collection of scripts related to RPC and Windows Registry trickery
07 March 2023
Updates
- Payload Generator now has new loaders and 'predefined payloads'
07 March 2023
Updates
- KerberoasAsk support for pfx files, PasswordSpy
07 March 2023
Privilege Escalation
- New tool release SideloadTrigger: a BOF used for privesc abusing writeable paths
01 March 2023
Updates
- Various cleanup and smaller bugfixed
February 2023
16 February 2023
Command & Control
- New tool release: Stage1 v2.0.0, a major overhaull of the Stage1 C2 framework
09 February 2023
Knowledge Sharing
- Session on latest research 'The Registry Rundown for Red Teams'
01 February 2023
Updates
- Payload Generator now also supports DripMemory & ROP Gadgets fore EDR evasion
January 2023
18 January 2023
Kernel Trickery
- New tool release KernelTool: EDR blinding by modifying precoss details abusing a vulnerable driver driver
18 January 2023
Updates
- KerberosAsk updates allowing for tgtdeleg and S4u
09 January 2023
Updates
- ShovelNG (Lateral Pack) upgraded with new loaders