LightNews
rastamouse.me
_RastaMouse
@rastamouse.me
750 followers 58 following 68 posts
Wannabe security guy. Director @ Zero-Point Security.
Posts Media Videos Starter Packs
Reposted by _RastaMouse
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 1d
Why plant a Tradecraft Garden?

April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00

vimeo.com/1074106659#t...
Post-ex Weaponization: An Oral History
This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.
vimeo.com
4 9
Reposted by _RastaMouse
calz0n3.bsky.social
Calzone @calz0n3.bsky.social · 1d
The new Crystal Palace version is very cool.

Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
2 2
rastamouse.me
_RastaMouse @rastamouse.me · 1d
My first Crystal Palace shared library!
github.com/rasta-mouse/...
GitHub - rasta-mouse/LibTP: Crystal Palace library for proxying Nt API calls via the Threadpool
Crystal Palace library for proxying Nt API calls via the Threadpool - rasta-mouse/LibTP
github.com
1 6
rastamouse.me
_RastaMouse @rastamouse.me · 2d
I'm legit blown away. We can use DFR with Nt* APIs now!
1 5
rastamouse.me
_RastaMouse @rastamouse.me · 2d
Very cool feature sets! It's already time to rewrite my evasion kit 😅
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 2d
Weeding the Tradecraft Garden

aff-wg.org/2025/10/13/w...

Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
1 3
Reposted by _RastaMouse
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 2d
Weeding the Tradecraft Garden

aff-wg.org/2025/10/13/w...

Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
1 4 7
rastamouse.me
_RastaMouse @rastamouse.me · 3d
Thanks. Discussions are open on the repo - I'm interested in hearing people's thoughts on this as an evasion strategy. I think it has a lot of potential.
rastamouse.me
_RastaMouse @rastamouse.me · 3d
[Crystal Kit]
Evasion kit for Cobalt Strike.
github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Kit: Runtime evasion for Cobalt Strike
Runtime evasion for Cobalt Strike. Contribute to rasta-mouse/Crystal-Kit development by creating an account on GitHub.
github.com
2 3
rastamouse.me
_RastaMouse @rastamouse.me · 10d
Lovely jubbly
3
rastamouse.me
_RastaMouse @rastamouse.me · 10d
My motivation behind this is to hook & spoof APIs that aren't supported by BeaconGate, such as CreateProcessA. Passing the PICO memory allocation data to Beacon via BUD also ensures that a custom Sleepmask can free it after ExitThread is called.
1
rastamouse.me
_RastaMouse @rastamouse.me · 11d
Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.
1 2 8
rastamouse.me
_RastaMouse @rastamouse.me · 14d
And probably more that I'm missing right now. Just dismissing the issue entirely is pure folly.
rastamouse.me
_RastaMouse @rastamouse.me · 14d
What's the domain password policy (e.g. what's the theoretical worst-case crack time)? Does the svc account need to be that privileged? Is there a process for changing svc account passwords? Can the business detect/respond in the event the account is compromised?
1
rastamouse.me
_RastaMouse @rastamouse.me · 14d
Reporting it as informational just because they couldn't crack it would be an egregious error on their part, imo. Many factors would elevate the risk. Most testers only use shitty laptops, but what level of threat/resources is the business defending against?
1
rastamouse.me
_RastaMouse @rastamouse.me · 17d
Could MS do better in how they communicate issues with product security? Absolutely. But this isn't just a 'them' problem. I don't see how this letter to the FTC will foster a positive attitude within MS towards participation in good, open security conversations.
1 1
rastamouse.me
_RastaMouse @rastamouse.me · 17d
So why doesn't he also criticise businesses, including his own government, for not building in accordance with industry-recognised standards and for not carrying out security due diligence to ensure compliance against those standards?
1
rastamouse.me
_RastaMouse @rastamouse.me · 17d
The message he puts across is pretty much "everyone is too lazy or stupid to change the defaults, so let's blame MS". The first time I saw 'disable RC4 guidance' was in the CIS benchmark for 2012 R2 in 2018.
1
rastamouse.me
_RastaMouse @rastamouse.me · 17d
I cannot conceive of a scenario where a vulnerability this old goes unknown or unmitigated for this long, where the business is completely absolved of all responsibility. The Senator's letter willfully ignores the failures made by businesses.
1
rastamouse.me
_RastaMouse @rastamouse.me · 17d
A CISO doesn't need to understand the technical details of any vulnerability; they pay for security assessments that communicate issues to them in ways they do understand.
1 1
rastamouse.me
_RastaMouse @rastamouse.me · 17d
I can't really wrap my head around it tbh. I find it totally far-fetched that they didn't know this issue existed, and bitching that "MS didn't tell us about it" is deflecting their own negligence.
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 18d
My case study tries to show: cybersecurity does NOT have systemic ground truth discussion. It's almost all unproductive blame with omission of details to keep some away from blame (e.g., failed compensating controls, facilitating ransomware payments) w/ strategic messaging that leads to offsec blame
1 1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
I'm not victim-blaming, but I've been on that side of the conference door too many times. It's literally the reason why I quit.
1
rastamouse.me
_RastaMouse @rastamouse.me · 18d
I do think that Ascension and others that get roasted like this do need to take some accountability though. I'd be willing to bet Kerberoasting was raised in one if not multiple pentest reports prior to the breach, but they chose not to do anything about it.
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 19d
Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
3 6
Reposted by _RastaMouse
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 19d
Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
6 13
rastamouse.me
_RastaMouse @rastamouse.me · Sep 14
[BLOG]
I wrote a short post on using the Crystal Palace API from an external Java program.
rastamouse.me/crystal-pala...
Crystal Palace API
Crystal Palace provides two command-line tools, called link and piclink, which are used with a specification file to combine a reflective loader with one or more capabilities (DLLs and/or COFFs). lin...
rastamouse.me
1 5
rastamouse.me
_RastaMouse @rastamouse.me · Sep 13
I learned some Java @raphaelmudge.bsky.social !! 😅
3