Skip to content

outflank Security tooling (oST)
Demo Videos

OST is a set of private offensive security tools created by the red teaming specialists of Outflank available for use by vetted red teams.

A Powerful Toolbox Made by Red Teamers for Red Teams

ouflank from s4applications

Outflank Security Tooling (OST)

OST is an essential toolkit for anyone involved in Red teaming, Penetration testing, or Vulnerability assessment. Developed by the experts at Outflank, OST includes a comprehensive suite of tools designed to help you identify and exploit vulnerabilities in your organisation’s systems and networks.

OST additional resources

Outflank Security Tooling Demo Videos

A series of short demo videos showcasing tools in Fortra’s Outflank Security Tooling (OST), an elite toolset developed by and made for advanced red teams. OST tools allow you to simulate similar techniques to what some APTs and Organised Crime Groups apply but are not available in public tools. OST tools are explicitly developed to help enable a skilled operator bypass defensive measures and detection tools.

The tools are categorised along the phases of a typical attack kill chain, In Phase, Through Phase and Out Phase:

In Phase

Office Intrusion Pack

The Office Intrusion Pack generates VBA macros based on various templates and settings. Currently it generates a .txt file with VBA code. The main use case is generating malicious macros to be used in maldocs for initial access or persistence (e.g. by backdooring normal.dotm).

Payload Generator  

Payload generator is a binary payload builder/transformer focused on OPSEC safety, operational traceability, and anti-forensics. It can generate various highly evasive malware artifacts for use in achieving initial access, gaining persistence, escalating privileges, or completing lateral movements during red team engagements. 

Offering the latest offensive R&D to help bypassing AV and EDR products, such as direct system calls, techniques to blend in with TI ETW, ROP gadgets, sleep masking, stack spoofing and much more.

Stego Loader

Stego loader allows the operator to embed a payload into an image file using Least Significant Bit Steganography. After the payload is embedded into the image, the image is still valid and viewable.

Through Phase

Stage 1

Stage 1 is Outflank’s custom Command-and-Control framework with focus on OPSEC and ‘Stage 1’ functionality.

Stage 1 is a light C2 framework that is aiming to be as OPSEC-safe as possible. Stage 1 uses features such as direct system calls and sleep masking to stay under the radar of AV and EDR for your initial access and local reconnaissance activities. I


SCMUseKerberos is a tool to change the Service Control Manager (SCM) APIs to use Kerberos for local authentication and to spawn an elevated beacon using a privileged (administrator) Kerberos token. 


Sharpfuscator, a custom .net obfuscator that helps bolster the evasiveness of C# executables, including open source C# tools.  

ShapFuscator is designed for AV/EDR static signature evasion. By analyzing the assembly with tools such as dnspy it is relatively easy to identify the encryption keys, the assembly features or the original tool.


Credential Pack

Credential Pack is a collection of tools that can be used with any Command and Control framework with BOF support and allows the red team operators to extract (dump) and obtain credentials.

Out Phase

Hidden Desktop 

Get a short demo of Hidden Desktop, one of the many tools in Fortra’s Outflank Security Tooling (OST), an elite toolset developed by and made for advanced red teams.

Hidden Desktop is an OPSEC safe implementation of hidden Virtual Network Computing (hVNC), which allows red teamers to create a second desktop on a targeted system that remains invisible to the user. 

Fake Ransom

FakeRansom is a tool developed and used to support in the out phase of a ransomware attack simulation. It is fake, yet real-life-like ransomware. It hijacks the screen and shows a full screen ransom notice combined with ongoing file listings of files of that computer.

It creates the sense of urgency and a stress factor that is often overlooked in a simulation.

Kernelkatz and KernelTool

a short demo of Kernelkatz and KernelTool, two of the many tools in Fortra’s Outflank Security Tooling (OST), an elite toolset developed and made for advanced red teams. Kernelkatz leverages a vulnerable driver to read LSASS memory and dump hashes, using a fresh driver that is not blocked by Device Guard so it can bypass LSA protections. KernelTool can then be used to remove process protections and modify callbacks.

Cobalt Strike UDRLs in 60 Seconds

Outflank Security Tool (OST) users can now leverage the power of User Defined Reflective Loaders (UDRLs) without writing C code or setting up a dev environment. 

Node in 60 secs

Outflank Security Tool (OST) provides .node payload generation, including Function Forwarding. Great for persistency in favorite Electron apps, such as Teams, Slack, VS Code.

Stage 1 Automation in 60 Seconds 

Outflank Security Tooling comes with its own C2 framework called Stage 1. Stage 1 is an OPSEC-focused C2 framework that provides red team operators with a lot of flexibility. One example is shown in this video: By leveraging the power of Python for automating tasks in Stage 1, and using the built in Jupyter Notebooks interface, red team operators can automate all kinds of tasks quickly and easily.

Outflank Security Tooling (OST).

What to do next

Interested in a quote, or the opportunity to talk through your requirements further?

As a Fortra partner, S4 Applications will work with your business to help you understand what Outflank can offer to evaluate your attack surface, priorities, and goals and develop a roadmap to deploy the right solution for your needs.

World Map
World Map