Outflank Security Tooling (OST)

December 2024

Version: 19 December 2024

Cloudpack

• ROADTune bug fixed and additions. PhishperPrice now supports token resource tokens, plus added extra documentation.

Outflank C2 updates

• BOF loader is now able to deal with BOFs BeaconPrintf-ing binary buffers from BOF that aren’t programmed nicely. System proxy support for Linux and macOS. Several small bug fixes on additional HTTP headers.

EDR updates and documentation

• Added 2 new EDR presets. Improved OPSEC documentation on several key aspects.

4 December 2024

New loaders and BIG OPSEC update

• 4 new loads in PE Payload generator, Full threat stack spoofing implemented on all system calls in the stagers, implant and reflective loader, EarlyCascade update, Windows CET compatibility update, EDR finetuning for new EDRs.

Outflank C2 implant update

• Improved Linked implants DeepSleep, Automatic User agent detection, extra guardrails.

November 2024

20 November 2024

Evasion improvements and Bugfix release

• Evasion improvement for PasswordSpy.
• Bugfix for ROADtune Android support.
• Bugfix for lateral movement via Shovel.

14 November 2024

Linux and macOS improvements

• Released a tech deepdive on macOS and Linux operations with OST.
• Fully static Linux implant, allowing it to function on a wide range of systems.

6 November 2024

Guardrails and anti-sandboxing

• Improvement on the guardrail requirements to avoid sandbox analysis.

October

31 October 2024

New Tool Release: RoadTune

• New tool for offensive Intune operations.
• Can emulate multiple device types, fake compliance and retrieve Intune packages for offline analysis

Updates

• Enhancements to KernelKatz, FakeRansom and evasion presets

15 October 2024

Fixes

• Bugfix for .net evasion options and lack of console output

9 October 2024

Tech DeepDive Recording

• Knowledge session on MS defender static detections.

Updates

• Overall quality of life improvements & smaller bug fixes.

September

25 September 2024

EDR Evasion

• Added 5 new community contributed EDR presets.

Updates

• EarlyCascade injection is now also available in OC2 and ShovelNG.
• Outflank C2 & PE Payload Generator: new options and GUI improvements to allow more operator flexibility.

11 September 2024

EarlyCascade Injection in Payload Generator

• Added a novel injection technique called 'EarlyCascade'.
• Added 'freeze' as a new process creation method.
• New 'Embed in section' option.
• Relative local paths are now supported.

Updates

• Bugfixes in Payload Generator, Outflank C2 (formerly Stage1), and in the OST portal.

August

19 August 2024

BeaconBooster CS 4.10 Compatibility

• Updated Beacon Booster's Sleep Masks for compatibility with the new version of Cobalt Strike.
• Added address spoofing for Beacon Gate.

July

17 July 2024

New Tool Release: PhisherPrice

• This new tool adds to OST capabilities for attacking EntraID device code flow.

Updates

• Bugfixes in KerberosAsk
• Various infrastructure changes

3 July 2024

Evasion

• Windows defender sandbox detection for Cobalt Strike and Stage1 C2.

Stage 1 C2

• Update for KernelCallbackTables injection and Module Stomping.

• Bugfix in webportal.

June 2024

25 June 2024

Payload Generator

• 4 new EDR presets (community contributions)

Stage 1 C2

• Bugfix

8 June 2024

Updates

• New CreateService BOF for creating, stopping, and deleting services.
• Updated various tools like WdToggle and In-phase builder.

May 2024

24 May 2024

Initial Access

• New tool release: In-Phase Builder (BETA) is a new tool for generating initial access payloads in different formats optimized for OPSEC.

8 May 2024

Command and Control

• Low level SpawnAs implementation based on novel research, which also serves as a UAC bypass at Stage 1.

Updates

• Enhanced OPSEC on PE Payload Generator, Stage1, and ShovelNG: evading EDR emulation.

• Under the hood quality of life improvements and bug fixes.

April 2024

11 April 2024

EDR evasion

• Ported evasive features towards ShovelNG (Lateral movement) and addition of new EDR presets

Command & Control

• Major performance enhancement of Socks.

Updates

• New tool release: a Keylogger and capability for remote command execution over WSMan.
• Added a new relaying research.
• Updates to various Misc tools to support new Windows versions, features, bugfixes etc.

March 2024

20 March 2024

EDR Evasion

• This release is the result of several man-months of research on stealthiness and evasion.
• Due to tweaked remote process injection techniques, smarter unhooking and a new sleep mask, OST tools PE Payload Generator, Stage 1 C2 and Lateral Pack's Shovel NG are now even better equipped to bypass major EDRs.

7 March 2024

EDR evasion

• Extended EDR info and presets for now a total of 6 major EDRs.
• Added the cheat sheet of the 'OPSEC tricks for attacking Azure AD with ROADtools' recording.

Updates

• Under the hood improvements and bug fixes.

February 2024

19 February 2024

PowerShell Tradecraft and new OPSEC features:

• PSPipeJack: a new tool using a novel lateral movement technique abusing tricks in PowerShell that brings back PowerShell for red teamers. Can be used as dedicate tool, in Stage 1 C2 or in Cobalt Strike
• PowerShell support in Stage 1 C2 with obvious security bypasses

January 2024

31 January 2024

Tech DeepDive Recording

• Microsoft Office Offensive Tradecraft: A recording of a public office tradecraft training.

EDR Evasion / Payload generator & documentation

• Two new PE Payload Generator EDR presets.

17 January 2024

EDR Evasion / Payload generator & documentation

• Payload generator provides guidance on configuration options for specific EDRs.
• Documentation enhanced with technical details on evasion, strategies and how to best use OST.

Updates:

• Minor bugfixes for Stage1 & EvilClicky.

December 2023

20 December 2023

Out-phase/Exfiltration

• HiddenDesktop v2: Complete rewrite, BOF format and various new functionality
• New feature in Stage 1: Reverse Port Forwarding (Enabling hiddenDesktop via Stage1)

11 Decmber 2023

Misc / Privilege Escalation

• Added exploit for Ivanti Secure Access (previously Pulse Secure) VPN client (CVE-2023-35080) in Misc

November 2023

29 November 2023

Lateral movement & Cloud

• Enhanced ShovelNG (lateral movement) for increased evasion/opsec
• Tech DeepDive Recording: OPSEC tricks for attacking Azure AD with ROADtools from Dirk-Jan Mollema.

8 November 2023

Command & Control

• Stage 1 new configurable Sleep Masks
• Cobalt Strike Integrations update: New evasive Sleep Mask added

Updates

• Outflank C2 Tool Collection updates including 3 new tools

• Extended support for arbitrary .NET projects

October 2023

10 October 2023

Command & Control

• New Tool Release: Cobalt Strike Integrations on Evasive Sleep Mask

3 October 2023

Internal Recon

• New tool release: regcertipy - identifying certificate templates via registry Updates
• Updated Kerneltool with additional supported kernel/OS versions

September 2023

6 September 2023

Knowledge Sharing

• Added Tech Deep Dive video on Stage 1 automation
• Added Tech Deep Dive video on Windows Kernel Drivers

August 2023

16 August 2023

Updates

• PE Payload Generator now has a new loader with favorable OPSEC properties
• Cobalt Strike Integration UDRL added new loader, and added YARA bypass information

July 2023

26 July 2023

Updates

• PE Payload Generator now supports .node files
• KernelTool and Kernelkatz driver change after update of Microsoft Driver Block List
• kernelTool support for DSE disabling
• KernelKatz enhancements to dump plaintext WDigest Credentials and toggle WDigest support

Knowledge Sharing

• added ClockOnce video to Tech DeepDive section

19 July 2023

Command & Control

• New tool release: Stage1 v2.4.0, brings SOCKS5 support as well as new features and User Experience Improvements

5 July 2023

Command & Control

• New tool release: Cobalt Strike Integrations on User Defined Reflective Loader

June 2023

26 June 2023

Knowledge Sharing

• Q2 2023 update review, walkthrough of most important additions of OST updates in Q2 2023

21 June 2023

Initial Access

• New tool release EvilClicky: ClickOnce payload generator

May 2023

10 May 2023

Credential dumping

• New tool release KernelKatz: a BOF for credential dumping via the kernel using a vulnerable krenel driver

April 2023

26 April 2023

Credential Dumping

• New tool release DumpMstsc: a BOF to retrieve passwords from a running mstsc process

26 April 2023

Updates

• New UAC bypass functionality in KerberosAsk, code overhaul in KernelTool and added opsec features in ShovelNG (lateral movement pack)

12 April 2023

Command & Control

• Stage 1 new commands & opsec/evasion updates

06 April 2023

Knowledge Sharing

• Sharing: session on EDR Evasion & Opsec, recording is available in portal

March 2023

16 March 2023

Knowledge Sharing

• Q1 2023 update review, walkthrough of most important additions of OST updates in Q1 2023

12 March 2023

Internal Recon

• New tool release RPC and Registry Tradecraft: collection of scripts related to RPC and Windows Registry trickery

07 March 2023

Updates

• Payload Generator now has new loaders and 'predefined payloads'

07 March 2023

Updates

• KerberoasAsk support for pfx files, PasswordSpy

07 March 2023

Privilege Escalation

• New tool release SideloadTrigger: a BOF used for privesc abusing writeable paths

01 March 2023

Updates

• Various cleanup and smaller bugfixed

February 2023

16 February 2023

Command & Control

• New tool release: Stage1 v2.0.0, a major overhaull of the Stage1 C2 framework

09 February 2023

Knowledge Sharing

• Session on latest research 'The Registry Rundown for Red Teams'

01 February 2023

Updates

• Payload Generator now also supports DripMemory & ROP Gadgets fore EDR evasion

January 2023

18 January 2023

Kernel Trickery

• New tool release KernelTool: EDR blinding by modifying precoss details abusing a vulnerable driver driver

18 January 2023

Updates

• KerberosAsk updates allowing for tgtdeleg and S4u

09 January 2023

Updates

• ShovelNG (Lateral Pack) upgraded with new loaders

 

Back to Outflank Products