Training Specialist Models: Automating Malware Development 文章探讨了如何利用强化学习与可验证奖励（RLVR）训练小型自托管LLM（如Dante-7B）以生成功能性且能绕过微软Defender的恶意软件加载器，并展示了其在特定任务上超越大型通用模型的能力。... 2025-8-7 19:43:25 | 阅读: 34 | 收藏 | Outflank Blog - www.outflank.nl llm reward shellcode verifier dante

Accelerating Offensive R&D with Large Language Models Outflank利用大型语言模型（LLMs）加速研究，探索“被困COM对象”漏洞类别。通过AI生成C/C++代码发现新COM类用于横向移动攻击，并成功在Windows 11上验证多个案例。研究结果已上传至GitHub。... 2025-7-31 10:36:3 | 阅读: 20 | 收藏 | Outflank Blog - www.outflank.nl trapped lateral windows library stdfont

Async BOFs – “Wake Me Up, Before You Go Go” 文章介绍了异步Beacon Object Files（BOFs）的设计与应用，允许红队在目标环境中部署传感器实时监控事件（如管理员登录），并在不影响植入睡眠的情况下将数据传输至C2服务器。该设计支持自动化任务（如获取TGT、启动键盘记录器），提升红队操作的效率与隐蔽性，并为未来实现类似SIEM的解决方案奠定基础。... 2025-7-16 11:56:0 | 阅读: 15 | 收藏 | Outflank Blog - www.outflank.nl monitoring bofs opsec wake c2

BOF Linting for Accelerated Development 文章介绍了Beacon Object Files (BOFs) 在C2框架中的功能及其开发挑战，并推出了一款名为boflint的工具来检测和解决BOF开发中的常见问题。该工具通过检查COFF文件的节、符号和重定位信息，在编译后识别潜在问题，如未解析的导入、不支持的重定位类型等，从而提高BOFs在不同框架中的兼容性和可靠性。... 2025-6-30 07:47:43 | 阅读: 26 | 收藏 | Outflank Blog - www.outflank.nl boflint bofs loader cobalt development

Secure Enclaves for Offensive Operations (Part II) 文章探讨了利用安全 enclave（如 Microsoft SQL Server 和 Microsoft Edge 的 enclave DLL）中的漏洞进行攻击的技术。通过分析 enclave 内部机制和指针验证缺陷，研究人员展示了如何将任意读写漏洞转化为 VTL1 代码执行，并通过 ROP 链实现函数调用。最终实现了 implant 在睡眠期间的内存隐藏，使其难以被检测。... 2025-6-16 10:17:5 | 阅读: 24 | 收藏 | Outflank Blog - www.outflank.nl enclave vtl1 vtl0 memory callenclave

Secure Enclaves for Offensive Operations (Part I) This blog post was co-authored by Matteo Malvica (Researcher at OffSec and External OST developer)... 2025-2-3 09:30:19 | 阅读: 16 | 收藏 | Outflank Blog - www.outflank.nl enclave enclaves memory isolated vtl1

2024 Wrapped: Outflank’s Top Tracks As 2024 nears its end, we feel it is a great time to look back at what we achieved in 2024.TLDR: N... 2024-12-17 17:29:34 | 阅读: 9 | 收藏 | Outflank Blog - www.outflank.nl outflank ost presets tradecraft c2

Introducing Early Cascade Injection: from Windows process creation to stealthy injection By Guido Miggelenbrink at OutflankIntroductionIn this blog post we introduce a novel proce... 2024-10-15 20:3:43 | 阅读: 18 | 收藏 | Outflank Blog - www.outflank.nl injection apc edrs pfnse dllloaded

Will the real #GrimResource please stand up? – Abusing the MSC file format In this blog post we describe how the MSC file format can be leveraged to execute arbitrary code v... 2024-8-13 21:34:59 | 阅读: 18 | 收藏 | Outflank Blog - www.outflank.nl snap msc mmc security pane

Introducing Outflank C2 with Implant Support for Windows, macOS, and Linux We are rebranding our commercial... 2024-8-8 04:59:48 | 阅读: 35 | 收藏 | Outflank Blog - www.outflank.nl c2 outflank implants stage1 windows

EDR Internals for macOS and Linux Many public blogs and conference talks have covered Windows telemetry sources like kernel callback... 2024-6-3 23:56:18 | 阅读: 19 | 收藏 | Outflank Blog - www.outflank.nl agents security ebpf network outflank

OST Release Blog: EDR Tradecraft, Presets, PowerShell Tradecraft, and More Malicious actors continuously deploy new or improved techniques. Red teams must maintain an equall... 2024-4-30 00:15:32 | 阅读: 11 | 收藏 | Outflank Blog - www.outflank.nl ost presets edrs bypass payload

Unmanaged .NET Patching To execute .NET post-exploitation tools safely, operators may want to modify certain managed funct... 2024-2-1 22:0:15 | 阅读: 13 | 收藏 | Outflank Blog - www.outflank.nl unmanaged mscorlib exitptr

Free Training: Microsoft Office Offensive Tradecraft for Red Teamers Copyright © Fortra, LLC and its group of companies. Fortra™, the Fortra™ logos, and other identi... 2023-12-19 18:0:51 | 阅读: 13 | 收藏 | Outflank Blog - www.outflank.nl fortra llc logos marks proprietary

Mapping Virtual to Physical Adresses Using Superfetch With the Bring Your Own Vulnerable Driver (BYOVD) technique popping up in Red Teaming arsenals, we... 2023-12-14 23:12:46 | 阅读: 12 | 收藏 | Outflank Blog - www.outflank.nl memory superfetch windows processes

Reflecting on a Year with Fortra and Next Steps for Outflank When we debuted OST back in 2021, we wrote a blog detailing both the product features and the rati... 2023-11-6 23:15:42 | 阅读: 6 | 收藏 | Outflank Blog - www.outflank.nl ost outflank cobalt fortra development

Listing remote named pipes On Windows, named pipes are a for... 2023-10-19 23:33:32 | 阅读: 9 | 收藏 | Outflank Blog - www.outflank.nl remote windows smbclient c2

Solving The “Unhooking” Problem For avoiding EDR userland hooks, there are many ways to cook an egg:Direct system calls (sysca... 2023-10-5 15:38:13 | 阅读: 5 | 收藏 | Outflank Blog - www.outflank.nl stage1 library loadlibrary c2 python

Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places This is a joint blog written by the Cobalt Strike and Outflank teams. It is also available on the... 2023-7-19 23:19:10 | 阅读: 10 | 收藏 | Outflank Blog - www.outflank.nl cobalt ost outflank beacon tradecraft

So you think you can block Macros? For the purpose of securing Microsoft Office installs we see many of our customers moving to a mac... 2023-4-25 18:30:30 | 阅读: 8 | 收藏 | Outflank Blog - www.outflank.nl macros microsoft security xlam publisher