LightNews
rastamouse.me
_RastaMouse
@rastamouse.me
750 followers 59 following 71 posts
Wannabe security guy. Director @ Zero-Point Security.
Posts Media Videos Starter Packs
rastamouse.me
_RastaMouse @rastamouse.me · 3h
Yeah, I didn’t have it in me to write the x86 assembly but I’m open to PRs.
Reposted by _RastaMouse
calz0n3.bsky.social
Calzone @calz0n3.bsky.social · 5h
And it's released! 🎉

github.com/ofasgard/exe...

I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com
1 2
rastamouse.me
_RastaMouse @rastamouse.me · 6h
Crystal Kit is just too powerful.
2
rastamouse.me
_RastaMouse @rastamouse.me · 6h
Nice!
1
Reposted by _RastaMouse
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 2d
Why plant a Tradecraft Garden?

April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00

vimeo.com/1074106659#t...
Post-ex Weaponization: An Oral History
This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.
vimeo.com
5 10
Reposted by _RastaMouse
calz0n3.bsky.social
Calzone @calz0n3.bsky.social · 2d
The new Crystal Palace version is very cool.

Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
2 2
rastamouse.me
_RastaMouse @rastamouse.me · 2d
My first Crystal Palace shared library!
github.com/rasta-mouse/...
GitHub - rasta-mouse/LibTP: Crystal Palace library for proxying Nt API calls via the Threadpool
Crystal Palace library for proxying Nt API calls via the Threadpool - rasta-mouse/LibTP
github.com
1 1 7
rastamouse.me
_RastaMouse @rastamouse.me · 3d
I'm legit blown away. We can use DFR with Nt* APIs now!
1 5
rastamouse.me
_RastaMouse @rastamouse.me · 3d
Very cool feature sets! It's already time to rewrite my evasion kit 😅
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 3d
Weeding the Tradecraft Garden

aff-wg.org/2025/10/13/w...

Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
1 3
Reposted by _RastaMouse
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 3d
Weeding the Tradecraft Garden

aff-wg.org/2025/10/13/w...

Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
1 4 8
rastamouse.me
_RastaMouse @rastamouse.me · 4d
Thanks. Discussions are open on the repo - I'm interested in hearing people's thoughts on this as an evasion strategy. I think it has a lot of potential.
rastamouse.me
_RastaMouse @rastamouse.me · 4d
[Crystal Kit]
Evasion kit for Cobalt Strike.
github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Kit: Runtime evasion for Cobalt Strike
Runtime evasion for Cobalt Strike. Contribute to rasta-mouse/Crystal-Kit development by creating an account on GitHub.
github.com
2 3
rastamouse.me
_RastaMouse @rastamouse.me · 11d
Lovely jubbly
3
rastamouse.me
_RastaMouse @rastamouse.me · 11d
My motivation behind this is to hook & spoof APIs that aren't supported by BeaconGate, such as CreateProcessA. Passing the PICO memory allocation data to Beacon via BUD also ensures that a custom Sleepmask can free it after ExitThread is called.
1
rastamouse.me
_RastaMouse @rastamouse.me · 12d
Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.
1 2 8
rastamouse.me
_RastaMouse @rastamouse.me · 14d
And probably more that I'm missing right now. Just dismissing the issue entirely is pure folly.
rastamouse.me
_RastaMouse @rastamouse.me · 14d
What's the domain password policy (e.g. what's the theoretical worst-case crack time)? Does the svc account need to be that privileged? Is there a process for changing svc account passwords? Can the business detect/respond in the event the account is compromised?
1
rastamouse.me
_RastaMouse @rastamouse.me · 14d
Reporting it as informational just because they couldn't crack it would be an egregious error on their part, imo. Many factors would elevate the risk. Most testers only use shitty laptops, but what level of threat/resources is the business defending against?
1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
Could MS do better in how they communicate issues with product security? Absolutely. But this isn't just a 'them' problem. I don't see how this letter to the FTC will foster a positive attitude within MS towards participation in good, open security conversations.
1 1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
So why doesn't he also criticise businesses, including his own government, for not building in accordance with industry-recognised standards and for not carrying out security due diligence to ensure compliance against those standards?
1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
The message he puts across is pretty much "everyone is too lazy or stupid to change the defaults, so let's blame MS". The first time I saw 'disable RC4 guidance' was in the CIS benchmark for 2012 R2 in 2018.
1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
I cannot conceive of a scenario where a vulnerability this old goes unknown or unmitigated for this long, where the business is completely absolved of all responsibility. The Senator's letter willfully ignores the failures made by businesses.
1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
A CISO doesn't need to understand the technical details of any vulnerability; they pay for security assessments that communicate issues to them in ways they do understand.
1 1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
I can't really wrap my head around it tbh. I find it totally far-fetched that they didn't know this issue existed, and bitching that "MS didn't tell us about it" is deflecting their own negligence.
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 18d
My case study tries to show: cybersecurity does NOT have systemic ground truth discussion. It's almost all unproductive blame with omission of details to keep some away from blame (e.g., failed compensating controls, facilitating ransomware payments) w/ strategic messaging that leads to offsec blame
1 1
rastamouse.me
_RastaMouse @rastamouse.me · 19d
I'm not victim-blaming, but I've been on that side of the conference door too many times. It's literally the reason why I quit.
1