We have rebranded our commercial C2 framework from Stage1 to Outflank C2 to reflect its continued growth and functionality, including native implant support for Windows, macOS, and Linux.

The Evolution of Stage1

Since the origin of our red team tooling offering, Outflank Security Tooling (OST), Stage1 C2 has been a core component. Stage1 began as a minimal framework, with its sole focus being an initial access implant with some nifty OPSEC and C2 characteristics. It was ideal for initial reconnaissance, modifying C2 channels if needed, and OPSEC safe techniques for loading another C2 framework once you required stage-2 capabilities.

As more red teams adopted OST, Stage1 quickly proved to be an unexpectedly popular framework, with users providing consistently positive feedback and requests for more features. Subsequently, we began to slowly add cool new functionality, including proxying, support for BOFs, and automation using Python, just to name a few.

While Stage1 was now serving its primary purpose and more, we found that we didn’t want to stop there. One of the top requests from our OST customers — which included our team in our own red team operations — was to add support for macOS and Linux platforms. As we began work on this upgrade and contemplated other developments down the road, we decided that Stage1 had outgrown its name.

So, we’re excited to announce two new implants for macOS and Linux and a rebranded C2 framework, Outflank C2!

New Features in Outflank C2

This release has a slew of new features for the new macOS and Linux implants, as well as enhancements for the existing Windows implant. Here are the highlights:

• Native Implants: Tailored for each OS, both new implants are written in C/C++/ASM.
• Dynamic Execution: Linux implants support ELF Beacon Object Files (BOF) and macOS implants can execute inline JXA.
• Network Tunneling: All three implants include a SOCKS proxy and portforward / rportforward commands.
• C2 Traffic: Both new implants support HTTP(S) and TCP comms.
• Implant Linking: P2P implant linking works between all three implants. P2P is supported between any OC2 implants – Linux/macOS, Linux/Windows, or macOS/Windows!
• Guardrails: All three implants support debugger detection, hostname keying, and SSL pinning.
• Payload Formats: Payload execution is available in multiple formats, including a shared library, standalone executables, and other payload formats for all three platforms.
• Evasion: Months of R&D have enabled many OPSEC features from Windows to be carried to these new platforms. Continuous EDR research ensures users have state-of-the-art macOS and Linux tools.

Emphasizing a Multi-Tool Mindset

OST was created because we strongly believe modern red teams need a broad toolset to be effective in modern operations, not just a single C2. Outflank C2 strongly supports this ideal in several ways. Since Outflank C2 is part of the bigger OST toolset, it can both leverage the awesome functionality of other tools like Builder and Payload Generator, as well as rely on the years of research on EDR evasion techniques. 

Increasingly, more red teams are opting to use multiple command and control tools in their operations to attain their objectives. We have been pleased that Stage1 served a unique purpose that complemented other C2 frameworks. We’re confident this trend will continue with Outflank C2 and we are particularly proud to offer the versatility that comes with providing native support for these three platforms.

The official release of Outflank C2 will take place August 15th and will be reflected in the release timeline. We will have more information to share over the coming period and you’ll see updates to the site to reflect Stage1’s transition to Outflank C2. In the mean time, you can consider scheduling an expert-led demo to learn more about the diverse offerings in OST.