Raphael Mudge
@raphaelmudge.bsky.social
Riding around in the breeze. Security Thinker. Hacker. USAF Veteran. https://aff-wg.org
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted by Raphael Mudge
I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate.
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 9, 2025 at 11:49 PM
I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate.
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁
Reposted by Raphael Mudge
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 7, 2025 at 4:10 PM
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
November 6, 2025 at 3:38 PM
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
4 of the ~37 links in @badsectorlabs.com Last Week in Security are Tradecraft Garden related. LibIPC, LibGate, Arranging the PIC Parterre, & TCG's Community Pavilion.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
Last Week in Security (LWiS) - 2025-11-03
ShareHound (@podalirius_), Conquest C2 (@virtualloc), Docker Compose path traversal (@RonMasas), dead domain discovery (@_lauritz_), Narrator persistence/lat movement (@Oddvarmoe ), Windows 11 LPE (@d...
blog.badsectorlabs.com
November 5, 2025 at 4:45 AM
4 of the ~37 links in @badsectorlabs.com Last Week in Security are Tradecraft Garden related. LibIPC, LibGate, Arranging the PIC Parterre, & TCG's Community Pavilion.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
@pard0p.bsky.social dropped a WinHTTP shared library today.
blog.badsectorlabs.com/last-week-in...
Thank you for building with me.
Reposted by Raphael Mudge
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
GitHub - pard0p/LibWinHttp: LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO...
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTT...
github.com
November 4, 2025 at 9:21 PM
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
Reposted by Raphael Mudge
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
GitHub - pard0p/LibIPC: LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. - pard0p/LibIPC
github.com
November 2, 2025 at 11:29 AM
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
October 30, 2025 at 4:24 AM
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
Reposted by Raphael Mudge
I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Loaders: A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike - rasta-mouse/Crystal-Loaders
github.com
October 29, 2025 at 5:39 PM
I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...
Reposted by Raphael Mudge
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
GitHub - rasta-mouse/LibGate: A Crystal Palace shared library to resolve & perform syscalls
A Crystal Palace shared library to resolve & perform syscalls - rasta-mouse/LibGate
github.com
October 29, 2025 at 5:15 PM
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
Reposted by Raphael Mudge
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
October 28, 2025 at 1:12 PM
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
Reposted by Raphael Mudge
@raphaelmudge.bsky.social , thanks to Crystal Palace I just published a proof-of-concept of a self-cleaning, in-memory PICO loader.
github.com/pard0p/Self-...
github.com/pard0p/Self-...
GitHub - pard0p/Self-Cleaning-PICO-Loader: Self-cleaning in-memory PICO loader for Crystal Palace. Automatically erases traces and operates entirely in memory for stealthy payload execution.
Self-cleaning in-memory PICO loader for Crystal Palace. Automatically erases traces and operates entirely in memory for stealthy payload execution. - pard0p/Self-Cleaning-PICO-Loader
github.com
October 29, 2025 at 12:27 AM
@raphaelmudge.bsky.social , thanks to Crystal Palace I just published a proof-of-concept of a self-cleaning, in-memory PICO loader.
github.com/pard0p/Self-...
github.com/pard0p/Self-...
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Tradecraft Garden’s PIC Parterre
The goal of Tradecraft Garden is to separate evasion tradecraft from C2. Part of this effort involves looking for logical lines of separation. And, with PIC, I think we’ve just found one of them. T…
aff-wg.org
October 27, 2025 at 3:48 PM
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous."
therecord.media/evilginx-kub...
therecord.media/evilginx-kub...
Evilginx’s creator reckons with the dark side of red-team tools
Polish developer Kuba Gretzky wanted to prove that multi-factor authentication wasn’t foolproof. He succeeded — maybe too well. What happens when a cybersecurity warning becomes the threat itself?
therecord.media
October 23, 2025 at 12:13 PM
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous."
therecord.media/evilginx-kub...
therecord.media/evilginx-kub...
Reposted by Raphael Mudge
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
GitHub - ofasgard/LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs.
A shared library for Crystal Palace that allows you to unit test your PICOs. - ofasgard/LibCPLTest
github.com
October 21, 2025 at 4:06 PM
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
a man with glasses looks at a plant in a can that says pepsi on it
ALT: a man with glasses looks at a plant in a can that says pepsi on it
media.tenor.com
October 17, 2025 at 3:00 PM
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
Penalty Notice Capita Plc by UK ICO
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
October 16, 2025 at 8:34 AM
Penalty Notice Capita Plc by UK ICO
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met?
* Understaffed SOC (1 analyst/shift)
* 58hr SOC response vs. 4.5hr AD takeover
* Failure to implement Active Directory tiering.
ico.org.uk/media2/pv5nh...
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Post-ex Weaponization: An Oral History
This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.
vimeo.com
October 14, 2025 at 4:57 PM
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Reposted by Raphael Mudge
The new Crystal Palace version is very cool.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
October 14, 2025 at 12:06 PM
The new Crystal Palace version is very cool.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Reposted by Raphael Mudge
My first Crystal Palace shared library!
github.com/rasta-mouse/...
github.com/rasta-mouse/...
GitHub - rasta-mouse/LibTP: Crystal Palace library for proxying Nt API calls via the Threadpool
Crystal Palace library for proxying Nt API calls via the Threadpool - rasta-mouse/LibTP
github.com
October 14, 2025 at 10:02 AM
My first Crystal Palace shared library!
github.com/rasta-mouse/...
github.com/rasta-mouse/...
Reposted by Raphael Mudge
I'm legit blown away. We can use DFR with Nt* APIs now!
October 13, 2025 at 6:58 PM
I'm legit blown away. We can use DFR with Nt* APIs now!
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
October 13, 2025 at 3:13 PM
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Reposted by Raphael Mudge
Reposted by Raphael Mudge
I've been obsessed with @raphaelmudge.bsky.social 's Crystal Palace since I learned about it at Beacon earlier this month, so... here's a WIP PICO I wrote to hook functions with hardware breakpoints 👀
github.com/ofasgard/har...
github.com/ofasgard/har...
GitHub - ofasgard/hardware-breakpoint-pico: A PICO for Crystal Palace that implements hardware breakpoint hooking.
A PICO for Crystal Palace that implements hardware breakpoint hooking. - ofasgard/hardware-breakpoint-pico
github.com
September 29, 2025 at 4:29 PM
I've been obsessed with @raphaelmudge.bsky.social 's Crystal Palace since I learned about it at Beacon earlier this month, so... here's a WIP PICO I wrote to hook functions with hardware breakpoints 👀
github.com/ofasgard/har...
github.com/ofasgard/har...
I'll unpack a few thoughts on this...
I do think that Ascension and others that get roasted like this do need to take some accountability though. I'd be willing to bet Kerberoasting was raised in one if not multiple pentest reports prior to the breach, but they chose not to do anything about it.
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
September 28, 2025 at 5:11 AM
I'll unpack a few thoughts on this...