Outflank Security Tooling (OST)

NOTE:

This is a condensed version of the release notes. Full technical release notes with bug fixes and under-the-hood enhancements are available to OST customers via the portal.

October 2025

7 October 2025
Outflank C2
  • Added capability to include Hardcoded proxy credentials.
PE Payload Generator, ShovelNG, PasswordSpy++
  • EDR evasion improvements.
  • Mitigations against Import Hash (imphash) fingerprinting.
PE Payload Generator
  • EDR evasion improvement to mitigate entropy-based detections.
EDR Presets
  • Added two new community contributed EDR presets.

September 2025

Version: 18 September 2025
Outflank C2
  • Added BOF-PE (DLL) support.
Outflank C2 Async Pack
  • Portscan: Map available network servers and services by scanning hosts and IP ranges for open TCP ports.
Documentation
  • Added EDR testing guidelines to the EDR Evasion section of the Knowledge Base.

August 2025

Version: 28 August 2025
In-Phase Builder
  • BGInfo support: Builder now supports BGInfo file generation.
Outflank C2 Tool Collection
  • Shortcut BOF: New BOF that allows operators to use Windows shortcuts (.lnk) files in their operations.
KernelTool
  • Operators can now specify custom driver paths for dropping, which can be used for WDAC policies that restrict drivers from being loaded from specific location.
Chromeo
  • Improvements in Chrome attack tooling (Chromeo).
PE Payload Generator
  • Various quality of life improvements.
OC2 Implant
  • Evasion improvements.
14 August 2025
Chromeo
  • Introduced attack tooling for Chromium-based processes (Chrome/Edge/Brave/Opera).
Misc Updates
  • EDR presets: New community contributed EDR preset.
  • OC2 Implant builder: Quality of life improvement.
1 August 2025
Outflank C2 Tool Collection
  • New BOF that manipulates Windows network stack that features:
    • EDR telemetry blocking.
    • Traffic interception.
    • Remote system support: Target remote systems before lateral movement.
In-Phase Builder
  • EarlyBird improvement: Improving evasion.
PE Payload Generator

  • Quality of life improvement: Added additional warnings prior to expiration.

July 2025

Version: 17 July 2025
KernelTool

  • Various quality of life improvements related to multiple driver support and specific driver detections.

PE Payload Generator

  • Various quality of life improvements related to evasion and KillDate management.

EDR Presets

  • Added two new community contributed EDR presets.

June 2025

Version: 26 June 2025
In-Phase Builder

  • Linux Python payload building option.

Outflank - C2 Async Pack
  • Interface monitor command to detect network interfaces additions/deletions.
  • File monitor command to detect file modifications.
  • Usermon command to monitor login activity.
Outflank - C2 Tool Collection
  • SprayAD will now run as an asynchronous BOF for supported teamservers.
Outflank C2
  • Various quality of life improvements on the BOF Loader.
OST Portal
  • Improved several input validation error messages.
June 4, 2025
CredentialPack
  • HiveDump: New registry hive dumping tool that manually reads and parses the registry.
KernelKatz
  • Added MSV support for Windows 24H2 and updated static offsets.
  • Bug fix for out-of-bounds reads on specific Windows versions.

May 2025

Version: 12 May 2025
BeaconBooster
  • Added support for Cobalt Strike 4.11.1.
Outflank C2
  • Minor bug fixes for Blind ETW on start and in Clipmon from OC2 Async Pack.
May 1, 2025
Outflank C2
  • Asynchronous task support: Though BOFs were previously designed for synchronous operations, operators can now roll out a network of sensors and stream these events to the C2 server for further processing - all while the implant is sleepmasked.
Outflank C2 Async BOF Pack

This can monitor for various events with an initial release consisting of four monitoring BOFs:

  • Usermon: Monitor and record user login events. Every login is recorded and printed.
  • Procmon: Monitor for a specific application start.
  • Clipmon: Monitor the clipboard, recording every new text copy.
  • Keylogger: Record all entered keystrokes, including key modifiers and special keys.
  • Usermon: Monitor and record user login events. Every login is recorded and printed.
Bug fixes
  • Numerous bug fixes and minor improvements for payload generator, BeaconBooster, and Language Panda.

April 2025

Version: 30 April 2025
OST Portal
  • Users can now add new content and make edits to existing content that will be shared with the OST community.
New Documentation Portal
  • Revised product documentation structure.
  • Added search function and dark mode.
17 April 2025
ShovelNG
  • With Bring your own Execution Context (BYOEC), it is now possible to configure ShoveING to upload your own executable (.exe) to be used as an execution context instead of one of the currently available LOLBINS.
  • Added five preconfigured Execution Contexts.
  • Additional execution configurations coming soon.
9 April 2025
Outflank C2
  • Added configurable proxy support for Windows and Linux/macOS implants. The implant will try this configurable option after direct and system/user proxy failures.
  • Minor bug fixes for BOFs and process creation.
PE Payload Generator

  • Added RC4 encryption

  • Updated guidance for payload configuration.

  • Minor bug fix for EarlyBird/Cascade injection.

RoadTune

  • Added support for installable App Store apps.

  • Install commands are not shown for apps by the IME client.

  • Improvements for retrieval of user-scoped policies and assignments.

KernelTool

  • Improved offset resolving.

March 2025

Version: 26 March 2025
Portal

This Portal update brings many minor changes to make usage and build flows more convenient, including the introduction of Evil-O-4000, who will now help and guide you, providing:

  • Input validation errors in PE Payload Generator.
  • Inconsistencies/warnings between Outflank C2 and PE Payload Generator settings.
  • Confirmation of input validation.
Bug fixes
  • Fixes for Outflank C2, PE Payload Generator, and EarlyCascade.
17 March 2025
Red Team Management Tech DeepDive recording
  • Covering the non-technical part of red teaming, this DeepDive covers test plans, reporting, meetings with stakeholders, trust building, planning, and more.
BeaconBooster
  • Added compatibility for Cobalt Strike 4.11 release.
5 March 2025
Outflank C2
  • Added new Enclave Sleep Mask.
  • New AMSI bypass: Novel data-only bypass.
  • New BOF loader: Overhauled for increased flexibility and performance.
  • Guardrails: Anti-sandbox guardrails now aligned with Payload Generator to provide same options and protection.
PE Payload Generator
  • Added cross-product configuration checks.
  • EDR Presets.
  • Added new community contributed EDR preset.

February 2025

Version: 20 February 2025
BeaconBooster

  • Added new Enclave Sleep Mask, based on research by Cedric Van Bockhaven and Matteo Malvica.

  • Added x86 exception handling support (also added to Outflank C2).

Outflank C2

  • Added APC dispatcher trickery.

  • Added maximum attempt counter to forwarded messages.

PE Payload Generator

  • Updated input validation box to show direct feedback.

OST Portal

  • Added help icon deeplinks to navigate directly to the corresponding item in product documentation.

January 2025

Version: 30 January 2025
Tech Deep Dive
  • Deep dive into architecture of VBS enclaves. Full walk through demo with practical techniques for existing vulnerable enclave DLLs.
EDR presets
  • Added new community contributed EDR preset.
15 January 2025
Outflank C2
  • Added new Sleep Mask options, allowing to configure the sleep thread state.
  • Dynamic configuration of macOS implant proxy settings.
  • Minor tuning and bug fixes.
Tech Deep Dive
  • Added recording of the ROADtune knowledge sharing session to the portal: Deep dive into Intune and ROADtune and Full walk through demo of PhisherPrice plus ROADtune.
HiddenDesktop
  • Bug fix for uncommon screen resolutions.

December 2024

Version: 19 December 2024
Cloudpack
  • ROADTune bug fixed and additions. PhishperPrice now supports token resource tokens, plus added extra documentation.
Outflank C2 updates
  • BOF loader is now able to deal with BOFs BeaconPrintf-ing binary buffers from BOF that aren’t programmed nicely. System proxy support for Linux and macOS. Several small bug fixes on additional HTTP headers.
EDR updates and documentation
  • Added 2 new EDR presets. Improved OPSEC documentation on several key aspects.
4 December 2024
New loaders and BIG OPSEC update
  • 4 new loads in PE Payload generator, Full threat stack spoofing implemented on all system calls in the stagers, implant and reflective loader, EarlyCascade update, Windows CET compatibility update, EDR finetuning for new EDRs.
Outflank C2 implant update
  • Improved Linked implants DeepSleep, Automatic User agent detection, extra guardrails.

November 2024

Version: 20 November 2024
Evasion improvements and Bugfix release
  • Evasion improvement for PasswordSpy.
  • Bugfix for ROADtune Android support.
  • Bugfix for lateral movement via Shovel.
14 November 2024
Linux and macOS improvements
  • Released a tech deepdive on macOS and Linux operations with OST.
  • Fully static Linux implant, allowing it to function on a wide range of systems.
6 November 2024
Guardrails and anti-sandboxing
  • Improvement on the guardrail requirements to avoid sandbox analysis.

October

Version: 31 October 2024
New Tool Release: RoadTune
  • New tool for offensive Intune operations.
  • Can emulate multiple device types, fake compliance and retrieve Intune packages for offline analysis
Updates
  • Enhancements to KernelKatz, FakeRansom and evasion presets
15 October 2024
Fixes
  • Bugfix for .net evasion options and lack of console output
9 October 2024
Tech DeepDive Recording
  • Knowledge session on MS defender static detections.
Updates
  • Overall quality of life improvements & smaller bug fixes.

September

Version: 25 September 2024
EDR Evasion
  • Added 5 new community contributed EDR presets.
Updates
  • EarlyCascade injection is now also available in OC2 and ShovelNG.
  • Outflank C2 & PE Payload Generator: new options and GUI improvements to allow more operator flexibility.
11 September 2024
EarlyCascade Injection in Payload Generator
  • Added a novel injection technique called 'EarlyCascade'.
  • Added 'freeze' as a new process creation method.
  • New 'Embed in section' option.
  • Relative local paths are now supported.
Updates
  • Bugfixes in Payload Generator, Outflank C2 (formerly Stage1), and in the OST portal.

August

Version: 19 August 2024
BeaconBooster CS 4.10 Compatibility
  • Updated Beacon Booster's Sleep Masks for compatibility with the new version of Cobalt Strike.
  • Added address spoofing for Beacon Gate.

July

Version: 17 July 2024
New Tool Release: PhisherPrice
  • This new tool adds to OST capabilities for attacking EntraID device code flow.
Updates
  • Bugfixes in KerberosAsk
  • Various infrastructure changes
3 July 2024
Evasion

  • Windows defender sandbox detection for Cobalt Strike and Stage1 C2.

Stage 1 C2

  • Update for KernelCallbackTables injection and Module Stomping.

  • Bugfix in webportal.

June 2024

Version: 25 June 2024
Payload Generator
  • 4 new EDR presets (community contributions)
Stage 1 C2
  • Bugfix
8 June 2024
Updates
  • New CreateService BOF for creating, stopping, and deleting services.
  • Updated various tools like WdToggle and In-phase builder.

May 2024

Version: 24 May 2024
Initial Access
  • New tool release: In-Phase Builder (BETA) is a new tool for generating initial access payloads in different formats optimized for OPSEC.
8 May 2024
Command and Control
  • Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass at Stage 1.
Updates

  • Enhanced OPSEC on PE Payload Generator, Stage1, and ShovelNG: evading EDR emulation.

  • Under the hood quality of life improvements and bug fixes.

April 2024

Version: 11 April 2024
EDR evasion
  • Ported evasive features towards ShovelNG (Lateral movement) and addition of new EDR presets
Command & Control
  • Major performance enhancement of Socks.
Updates
  • New tool release: a Keylogger and capability for remote command execution over WSMan.
  • Added a new relaying research.
  • Updates to various Misc tools to support new Windows versions, features, bugfixes etc.

March 2024

Version: 20 March 2024
EDR Evasion
  • This release is the result of several man-months of research on stealthiness and evasion.
  • Due to tweaked remote process injection techniques, smarter unhooking and a new sleep mask, OST tools PE Payload Generator, Stage 1 C2 and Lateral Pack's Shovel NG are now even better equipped to bypass major EDRs.
7 March 2024
EDR evasion
  • Extended EDR info and presets for now a total of 6 major EDRs.
  • Added the cheat sheet of the 'OPSEC tricks for attacking Azure AD with ROADtools' recording.
Updates
  • Under the hood improvements and bug fixes.

February 2024

Version: 19 February 2024
PowerShell Tradecraft and new OPSEC features:
  • PSPipeJack: a new tool using a novel lateral movement technique abusing tricks in PowerShell that brings back PowerShell for red teamers. Can be used as dedicate tool, in Stage 1 C2 or in Cobalt Strike
  • PowerShell support in Stage 1 C2 with obvious security bypasses

January 2024

Version: 31 January 2024
Tech DeepDive Recording
  • Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.
EDR Evasion / Payload generator & documentation
  • Two new PE Payload Generator EDR presets.
17 January 2024
EDR Evasion / Payload generator & documentation
  • Payload generator provides guidance on configuration options for specific EDRs.
  • Documentation enhanced with technical details on evasion, strategies and how to best use OST.
Updates:
  • Minor bugfixes for Stage1 & EvilClicky.

December 2023

Version: 20 December 2023
Out-phase/Exfiltration
  • HiddenDesktop v2: Complete rewrite, BOF format and various new functionality
  • New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)
11 Decmber 2023
Misc / Privilege Escalation
  • Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc

November 2023

Version: 29 November 2023
Lateral movement & Cloud
  • Enhanced ShovelNG (lateral movement) for increased evasion/opsec
  • Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema.
8 November 2023
Command & Control
  • Stage 1 new configurable Sleep Masks
  • Cobalt Strike Integrations update: New evasive Sleep Mask added
Updates

  • Outflank C2 Tool Collection updates including 3 new tools

  • Extended support for arbitrary .NET projects

October 2023

Version: 10 October 2023
Command & Control
  • New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask
3 October 2023
Internal Recon
  • New tool release: regcertipy - identifying certificate templates via registry Updates
  • Updated Kerneltool with additional supported kernel/OS versions

September 2023

Version: 6 September 2023
Knowledge Sharing
  • Added Tech Deep Dive video on Stage 1 automation
  • Added Tech Deep Dive video on Windows Kernel Drivers

August 2023

16 August 2023
Updates
  • PE Payload Generator now has a new loader with favorable OPSEC properties
  • Cobalt Strike Integration UDRL added new loader, and added YARA bypass information

July 2023

26 July 2023
Updates
  • PE Payload Generator now supports .node files
  • KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
  • kernelTool support for DSE disabling
  • KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support
Knowledge Sharing
  • added ClockOnce video to Tech DeepDive section
19 July 2023
Command & Control
  • New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements
5 July 2023
Command & Control
  • New tool release: Cobalt Strike Integrations on User Defined Reflective Loader

June 2023

26 June 2023
Knowledge Sharing
  • Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023
21 June 2023
Initial Access
  • New tool release EvilClicky: ClickOnce payload generator

May 2023

10 May 2023
Credential dumping
  • New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver

April 2023

26 April 2023
Credential Dumping
  • New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process
26 April 2023
Updates
  • New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)
12 April 2023
Command & Control
  • Stage 1 new commands & opsec/evasion updates
06 April 2023
Knowledge Sharing
  • Sharing: session on EDR Evasion & Opsec, recording is available in portal

March 2023

16 March 2023
Knowledge Sharing
  • Q1 2023 update review, walkthrough of most important additions of OST updates in Q1 2023
12 March 2023
Internal Recon
  • New tool release RPC and Registry Tradecraft: collection of scripts related to RPC and Windows Registry trickery
07 March 2023
Updates
  • Payload Generator now has new loaders and 'predefined payloads'
07 March 2023
Updates
  • KerberoasAsk support for pfx files, PasswordSpy
07 March 2023
Privilege Escalation
  • New tool release SideloadTrigger: a BOF used for privesc abusing writeable paths
01 March 2023
Updates
  • Various cleanup and smaller bugfixed

February 2023

16 February 2023
Command & Control
  • New tool release: Stage1 v2.0.0, a major overhaull of the Stage1 C2 framework
09 February 2023
Knowledge Sharing
  • Session on latest research 'The Registry Rundown for Red Teams'
01 February 2023
Updates
  • Payload Generator now also supports DripMemory & ROP Gadgets fore EDR evasion

January 2023

18 January 2023
Kernel Trickery
  • New tool release KernelTool: EDR blinding by modifying precoss details abusing a vulnerable driver driver
18 January 2023
Updates
  • KerberosAsk updates allowing for tgtdeleg and S4u
09 January 2023
Updates
  • ShovelNG (Lateral Pack) upgraded with new loaders

 

Back to Outflank Products