Raphael Mudge
@raphaelmudge.bsky.social
Riding around in the breeze. Security Thinker. Hacker. USAF Veteran. https://aff-wg.org
The work under way:
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP
The 11.10.25 Crystal Palace release added more new commands in one go than I think I've seen thus far. Many of them seemed really similar at first blush, and it took me a while to get an understanding...
rastamouse.me
November 20, 2025 at 7:02 AM
The work under way:
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
PIC programs (loader, capability) become a reusable & empty base.
PIC service modules control bootstrapping.
merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics
Reposted by Raphael Mudge
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP
The 11.10.25 Crystal Palace release added more new commands in one go than I think I've seen thus far. Many of them seemed really similar at first blush, and it took me a while to get an understanding...
rastamouse.me
November 19, 2025 at 11:04 PM
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted by Raphael Mudge
I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate.
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 9, 2025 at 11:49 PM
I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate.
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
Reposted by Raphael Mudge
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 7, 2025 at 4:10 PM
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
November 6, 2025 at 3:38 PM
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
4 of the ~37 links in @badsectorlabs.com Last Week in Security are Tradecraft Garden related. LibIPC, LibGate, Arranging the PIC Parterre, & TCG's Community Pavilion.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
Last Week in Security (LWiS) - 2025-11-03
ShareHound (@podalirius_), Conquest C2 (@virtualloc), Docker Compose path traversal (@RonMasas), dead domain discovery (@_lauritz_), Narrator persistence/lat movement (@Oddvarmoe ), Windows 11 LPE (@d...
blog.badsectorlabs.com
November 5, 2025 at 4:45 AM
4 of the ~37 links in @badsectorlabs.com Last Week in Security are Tradecraft Garden related. LibIPC, LibGate, Arranging the PIC Parterre, & TCG's Community Pavilion.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
Reposted by Raphael Mudge
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
GitHub - pard0p/LibWinHttp: LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO...
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTT...
github.com
November 4, 2025 at 9:21 PM
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
Reposted by Raphael Mudge
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
GitHub - pard0p/LibIPC: LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. - pard0p/LibIPC
github.com
November 2, 2025 at 11:29 AM
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
October 30, 2025 at 4:24 AM
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
Reposted by Raphael Mudge
I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Loaders: A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike - rasta-mouse/Crystal-Loaders
github.com
October 29, 2025 at 5:39 PM
I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...
Reposted by Raphael Mudge
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
GitHub - rasta-mouse/LibGate: A Crystal Palace shared library to resolve & perform syscalls
A Crystal Palace shared library to resolve & perform syscalls - rasta-mouse/LibGate
github.com
October 29, 2025 at 5:15 PM
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
Reposted by Raphael Mudge
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
October 28, 2025 at 1:12 PM
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
Reposted by Raphael Mudge
@raphaelmudge.bsky.social , thanks to Crystal Palace I just published a proof-of-concept of a self-cleaning, in-memory PICO loader.
github.com/pard0p/Self-...
github.com/pard0p/Self-...
GitHub - pard0p/Self-Cleaning-PICO-Loader: Self-cleaning in-memory PICO loader for Crystal Palace. Automatically erases traces and operates entirely in memory for stealthy payload execution.
Self-cleaning in-memory PICO loader for Crystal Palace. Automatically erases traces and operates entirely in memory for stealthy payload execution. - pard0p/Self-Cleaning-PICO-Loader
github.com
October 29, 2025 at 12:27 AM
@raphaelmudge.bsky.social , thanks to Crystal Palace I just published a proof-of-concept of a self-cleaning, in-memory PICO loader.
github.com/pard0p/Self-...
github.com/pard0p/Self-...
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Tradecraft Garden’s PIC Parterre
The goal of Tradecraft Garden is to separate evasion tradecraft from C2. Part of this effort involves looking for logical lines of separation. And, with PIC, I think we’ve just found one of them. T…
aff-wg.org
October 27, 2025 at 3:48 PM
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous."
therecord.media/evilginx-kub...
therecord.media/evilginx-kub...
Evilginx’s creator reckons with the dark side of red-team tools
Polish developer Kuba Gretzky wanted to prove that multi-factor authentication wasn’t foolproof. He succeeded — maybe too well. What happens when a cybersecurity warning becomes the threat itself?
therecord.media
October 23, 2025 at 12:13 PM
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous."
therecord.media/evilginx-kub...
therecord.media/evilginx-kub...
Reposted by Raphael Mudge
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
GitHub - ofasgard/LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs.
A shared library for Crystal Palace that allows you to unit test your PICOs. - ofasgard/LibCPLTest
github.com
October 21, 2025 at 4:06 PM
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
a man with glasses looks at a plant in a can that says pepsi on it
ALT: a man with glasses looks at a plant in a can that says pepsi on it
media.tenor.com
October 17, 2025 at 3:00 PM
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
Penalty Notice Capita Plc by UK ICO
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
October 16, 2025 at 8:34 AM
Penalty Notice Capita Plc by UK ICO
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Post-ex Weaponization: An Oral History
This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.
vimeo.com
October 14, 2025 at 4:57 PM
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Reposted by Raphael Mudge
The new Crystal Palace version is very cool.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
October 14, 2025 at 12:06 PM
The new Crystal Palace version is very cool.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Reposted by Raphael Mudge
My first Crystal Palace shared library!
github.com/rasta-mouse/...
github.com/rasta-mouse/...
GitHub - rasta-mouse/LibTP: Crystal Palace library for proxying Nt API calls via the Threadpool
Crystal Palace library for proxying Nt API calls via the Threadpool - rasta-mouse/LibTP
github.com
October 14, 2025 at 10:02 AM
My first Crystal Palace shared library!
github.com/rasta-mouse/...
github.com/rasta-mouse/...
Reposted by Raphael Mudge
I'm legit blown away. We can use DFR with Nt* APIs now!
October 13, 2025 at 6:58 PM
I'm legit blown away. We can use DFR with Nt* APIs now!
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
October 13, 2025 at 3:13 PM
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Reposted by Raphael Mudge
