Lightnews — Scholar-powered news

Raphael Mudge @raphaelmudge.bsky.social · 1d

Why plant a Tradecraft Garden?

April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00

vimeo.com/1074106659#t...

Post-ex Weaponization: An Oral History

This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.

vimeo.com

4 9

Reposted by Raphael Mudge

Calzone @calz0n3.bsky.social · 1d

The new Crystal Palace version is very cool.

Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.

2 2

Reposted by Raphael Mudge

_RastaMouse @rastamouse.me · 1d

My first Crystal Palace shared library!
github.com/rasta-mouse/...

GitHub - rasta-mouse/LibTP: Crystal Palace library for proxying Nt API calls via the Threadpool

Crystal Palace library for proxying Nt API calls via the Threadpool - rasta-mouse/LibTP

github.com

1 6

Reposted by Raphael Mudge

_RastaMouse @rastamouse.me · 2d

I'm legit blown away. We can use DFR with Nt* APIs now!

1 5

Raphael Mudge @raphaelmudge.bsky.social · 2d

And, the Tradecraft Garden library. Wow mom, I zipped a bunch of objects together! But, I love this, because it works with PIC/PICOs (because of unified conventions) and opens up code re-use and possible way to package POCs/pieces of tradecraft for others use.

tradecraftgarden.org/libtcg.html

Tradecraft Garden Library

tradecraftgarden.org

1

Raphael Mudge @raphaelmudge.bsky.social · 2d

Video demonstration of turning a PICO-convention COFF into PIC:

vimeo.com/1126841810

Egonomic PIC Demo

This is "Egonomic PIC Demo" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.

vimeo.com

1 1

Raphael Mudge @raphaelmudge.bsky.social · 2d

Weeding the Tradecraft Garden

aff-wg.org/2025/10/13/w...

Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC

Weeding the Tradecraft Garden

When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…

aff-wg.org

1 4 7

Reposted by Raphael Mudge

_RastaMouse @rastamouse.me · 3d

[Crystal Kit]
Evasion kit for Cobalt Strike.
github.com/rasta-mouse/...

GitHub - rasta-mouse/Crystal-Kit: Runtime evasion for Cobalt Strike

Runtime evasion for Cobalt Strike. Contribute to rasta-mouse/Crystal-Kit development by creating an account on GitHub.

github.com

2 3

Reposted by Raphael Mudge

Calzone @calz0n3.bsky.social · 16d

I've been obsessed with @raphaelmudge.bsky.social 's Crystal Palace since I learned about it at Beacon earlier this month, so... here's a WIP PICO I wrote to hook functions with hardware breakpoints 👀

github.com/ofasgard/har...

GitHub - ofasgard/hardware-breakpoint-pico: A PICO for Crystal Palace that implements hardware breakpoint hooking.

A PICO for Crystal Palace that implements hardware breakpoint hooking. - ofasgard/hardware-breakpoint-pico

github.com

1 5

Raphael Mudge @raphaelmudge.bsky.social · 16d

I saw Sen. Wyden's letter as drawing on offsec insight & inviting convo. I also see his rhetoric as strong. That's why my conclusion caveated: "I don't think MS wants this status quo to sell sec. products". Agree, there's lots of "them" in these problems. My thought exercise was to explore the thems

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

And, for those coming into this thread without having seen the blog post yet, it's this:

Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? Bad successors, precedents, and half fixes?

Raphael Mudge @raphaelmudge.bsky.social · 17d

My case study tries to show: cybersecurity does NOT have systemic ground truth discussion. It's almost all unproductive blame with omission of details to keep some away from blame (e.g., failed compensating controls, facilitating ransomware payments) w/ strategic messaging that leads to offsec blame

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

This leads to a blindspot where folks outside of the deeply technical bubbles aren't aware of this stuff and it remains "magic" to them. The volume of easily digestible tool/actor porn drowns this message and prevents IT/CISO/lay persons from having a sense that these are actionable and key issues

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

I think Microsoft's messaging equates their security servicing guidelines with what the points of defense and security thinking need to be. If it's intended functionality, then it's not a security issue ergo, no need to talk about the risks and implications of it--b/c it makes MS eco-system look bad

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

Wouldn't it have a lot more power and weight, if Kerberoasting, pass-the-hash gaps, BadSuccessor lingering primitives came from MS with an honest contextualization over the "problem mostly solved" narratives we get now&historically? Who has more weight to inform the public? MS or a rando researcher?

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

And, Senator Wyden's issue isn't just that RC4 option exists for reasons, but the lack of care Microsoft has taken in warning its customers about these pervasive issues. My case study attempts to expand on this criticism and further illustrate and hypothesize where this comes from...

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

I do think our tendency to make leaps and w/o question accept simple explanations without FULL ground truth (here, presuming a pen test finding already highlighted this issue and ergo, because it's a 11 year old issue--victim is morally responsible) is part of what screws the discourse up.

1 1

Raphael Mudge @raphaelmudge.bsky.social · 17d

The blog post I wrote though, is most valuable for the case study details and breach analysis thought exercise it demonstrates. I found it a challenge to write, because I'm trying to illustrate a self-defeating "bug" in cybersecurity culture/discourse--it's a sociological look vs. technical

1 2

Raphael Mudge @raphaelmudge.bsky.social · 17d

None of the above is to take away from the palatable frustration of successfully demonstrating a risk, contextualizing its importance, and seeing clients ignore it. But, I'm raising this counterpoint to say it's not always the case it's a previously known or contextualized as existing attack path

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

My understanding from @timmedin.bsky.social is RC4 risk is mitigable w/ a properly (service account std differs from user account) strong password. If it was never cracked by a pen tester, because their level of effort vs. adversary effort differed--how would Ascension know it wasn't strong enough?

1 1

Raphael Mudge @raphaelmudge.bsky.social · 17d

My logic: If it took the actor weeks or months to crack this password, then I presume a routine pentest or even red team assessment wouldn't have demonstrated this acted on attack path and provided the context weight to motivate a risky configuration change away from RC4.

1 1

Raphael Mudge @raphaelmudge.bsky.social · 17d

I raise this possibility, because @timmedin.bsky.social shared a "rumor" that it took the actors weeks or months to crack the password that allowed them to escalate privileges in the Ascension Breach:

www.youtube.com/watch?v=xYTG...

Feb 2024 was initial access, May 2024 was ransom event. Plausible

1 1

Raphael Mudge @raphaelmudge.bsky.social · 17d

If the finding in a pentest was RC4 is enabled, without the context of SUCCESSFUL exploitation and it's a BIG environment (131,000 employees) with mission critical components (it's a 100+ hospital system)--certainly the recommendation itself isn't going to have the weight to motivate the action.

1

Raphael Mudge @raphaelmudge.bsky.social · 17d

I'll unpack a few thoughts on this...

_RastaMouse @rastamouse.me · 18d

I do think that Ascension and others that get roasted like this do need to take some accountability though. I'd be willing to bet Kerberoasting was raised in one if not multiple pentest reports prior to the breach, but they chose not to do anything about it.

Raphael Mudge @raphaelmudge.bsky.social · 19d

Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

1 1 4

Raphael Mudge @raphaelmudge.bsky.social · 19d

Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

6 13