_RastaMouse
@rastamouse.me
Wannabe security guy. Director @ Zero-Point Security.
Reposted by _RastaMouse
Cobalt Strike 4.12 is nearly here! Join us at the release party demo to look at the new release, including a modernized GUI, a REST API for research and automation, new process injection options, and more! See you on Nov. 18!
https://ow.ly/WOro50Xqg5M
https://ow.ly/WOro50Xqg5M
November 12, 2025 at 3:05 PM
Cobalt Strike 4.12 is nearly here! Join us at the release party demo to look at the new release, including a modernized GUI, a REST API for research and automation, new process injection options, and more! See you on Nov. 18!
https://ow.ly/WOro50Xqg5M
https://ow.ly/WOro50Xqg5M
Jumping on the bandwagon
November 11, 2025 at 5:22 PM
Jumping on the bandwagon
If only I could predict the lottery with as much accuracy. Lots of new commands to dig into but looking forward to it!
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 11, 2025 at 1:46 PM
If only I could predict the lottery with as much accuracy. Lots of new commands to dig into but looking forward to it!
Reposted by _RastaMouse
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
I love seeing all these libraries come together
November 8, 2025 at 8:51 PM
I love seeing all these libraries come together
Reposted by _RastaMouse
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
GitHub - pard0p/LibWinHttp: LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO...
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTT...
github.com
November 4, 2025 at 9:21 PM
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
Reposted by _RastaMouse
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
GitHub - pard0p/LibIPC: LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. - pard0p/LibIPC
github.com
November 2, 2025 at 11:29 AM
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
Reposted by _RastaMouse
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
October 30, 2025 at 4:24 AM
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
GitHub - rasta-mouse/LibGate: A Crystal Palace shared library to resolve & perform syscalls
A Crystal Palace shared library to resolve & perform syscalls - rasta-mouse/LibGate
github.com
October 29, 2025 at 5:15 PM
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
October 28, 2025 at 1:12 PM
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
Reposted by _RastaMouse
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Tradecraft Garden’s PIC Parterre
The goal of Tradecraft Garden is to separate evasion tradecraft from C2. Part of this effort involves looking for logical lines of separation. And, with PIC, I think we’ve just found one of them. T…
aff-wg.org
October 27, 2025 at 3:48 PM
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
I had this idea for a portal tailored to PIC analysis, where you upload either a .bin or the disassembly output and receive an automated analysis of its tradecraft, with an LLM to ask specific questions.
October 25, 2025 at 8:54 AM
I had this idea for a portal tailored to PIC analysis, where you upload either a .bin or the disassembly output and receive an automated analysis of its tradecraft, with an LLM to ask specific questions.
Did you know that Crystal Palace can merge multiple COFFs straight into a single PIC blob? It means we can produce complete PIC programs from modular parts, without needing a dedicated loader. Plus access to DFR and shared libraries... just lovely.
October 24, 2025 at 6:35 PM
Did you know that Crystal Palace can merge multiple COFFs straight into a single PIC blob? It means we can produce complete PIC programs from modular parts, without needing a dedicated loader. Plus access to DFR and shared libraries... just lovely.
I found it far more enjoyable doing string replacements in Aggressor than in the C2 profile because the feedback loop is so much quicker - no need to stop/start the server after every change.
October 24, 2025 at 3:44 PM
I found it far more enjoyable doing string replacements in Aggressor than in the C2 profile because the feedback loop is so much quicker - no need to stop/start the server after every change.
Classic headline. Most of the article and the podcasty recording don't beat on him so much, thankfully.
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous."
therecord.media/evilginx-kub...
therecord.media/evilginx-kub...
Evilginx’s creator reckons with the dark side of red-team tools
Polish developer Kuba Gretzky wanted to prove that multi-factor authentication wasn’t foolproof. He succeeded — maybe too well. What happens when a cybersecurity warning becomes the threat itself?
therecord.media
October 23, 2025 at 2:27 PM
Classic headline. Most of the article and the podcasty recording don't beat on him so much, thankfully.
Took me long enough, but finally managed to hook into mscoreei.dll and stack spoof load library calls for clr.dll.
October 22, 2025 at 4:37 PM
Took me long enough, but finally managed to hook into mscoreei.dll and stack spoof load library calls for clr.dll.
Reposted by _RastaMouse
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
GitHub - ofasgard/LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs.
A shared library for Crystal Palace that allows you to unit test your PICOs. - ofasgard/LibCPLTest
github.com
October 21, 2025 at 4:06 PM
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
Found a pretty funny problem with detouring GetProcAddress -it breaks smartinject because it passes invalid pointers to the loader.
October 18, 2025 at 12:56 PM
Found a pretty funny problem with detouring GetProcAddress -it breaks smartinject because it passes invalid pointers to the loader.
Reposted by _RastaMouse
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
a man with glasses looks at a plant in a can that says pepsi on it
ALT: a man with glasses looks at a plant in a can that says pepsi on it
media.tenor.com
October 17, 2025 at 3:00 PM
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
Reposted by _RastaMouse
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com
October 16, 2025 at 4:13 PM
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
Crystal Kit is just too powerful.
October 16, 2025 at 3:16 PM
Crystal Kit is just too powerful.
Reposted by _RastaMouse
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Post-ex Weaponization: An Oral History
This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.
vimeo.com
October 14, 2025 at 4:57 PM
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Reposted by _RastaMouse
The new Crystal Palace version is very cool.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
October 14, 2025 at 12:06 PM
The new Crystal Palace version is very cool.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.
My first Crystal Palace shared library!
github.com/rasta-mouse/...
github.com/rasta-mouse/...
GitHub - rasta-mouse/LibTP: Crystal Palace library for proxying Nt API calls via the Threadpool
Crystal Palace library for proxying Nt API calls via the Threadpool - rasta-mouse/LibTP
github.com
October 14, 2025 at 10:02 AM
My first Crystal Palace shared library!
github.com/rasta-mouse/...
github.com/rasta-mouse/...
Very cool feature sets! It's already time to rewrite my evasion kit 😅
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Weeding the Tradecraft Garden
When I started work on Crystal Palace, my initial thought was to see how much I could ease development of position-independent code DLL capability loaders using the tools and manipulations possible…
aff-wg.org
October 13, 2025 at 3:49 PM
Very cool feature sets! It's already time to rewrite my evasion kit 😅