Lightnews — Scholar-powered news

LightNews

_RastaMouse

@rastamouse.me

750 followers 57 following 63 posts

Wannabe security guy. Director @ Zero-Point Security.

Posts Media Videos Starter Packs

_RastaMouse @rastamouse.me · 5d

Lovely jubbly

_RastaMouse @rastamouse.me · 6d

My motivation behind this is to hook & spoof APIs that aren't supported by BeaconGate, such as CreateProcessA. Passing the PICO memory allocation data to Beacon via BUD also ensures that a custom Sleepmask can free it after ExitThread is called.

_RastaMouse @rastamouse.me · 6d

Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.

_RastaMouse @rastamouse.me · 9d

And probably more that I'm missing right now. Just dismissing the issue entirely is pure folly.

_RastaMouse @rastamouse.me · 9d

What's the domain password policy (e.g. what's the theoretical worst-case crack time)? Does the svc account need to be that privileged? Is there a process for changing svc account passwords? Can the business detect/respond in the event the account is compromised?

_RastaMouse @rastamouse.me · 9d

Reporting it as informational just because they couldn't crack it would be an egregious error on their part, imo. Many factors would elevate the risk. Most testers only use shitty laptops, but what level of threat/resources is the business defending against?

_RastaMouse @rastamouse.me · 13d

Could MS do better in how they communicate issues with product security? Absolutely. But this isn't just a 'them' problem. I don't see how this letter to the FTC will foster a positive attitude within MS towards participation in good, open security conversations.

_RastaMouse @rastamouse.me · 13d

So why doesn't he also criticise businesses, including his own government, for not building in accordance with industry-recognised standards and for not carrying out security due diligence to ensure compliance against those standards?

_RastaMouse @rastamouse.me · 13d

The message he puts across is pretty much "everyone is too lazy or stupid to change the defaults, so let's blame MS". The first time I saw 'disable RC4 guidance' was in the CIS benchmark for 2012 R2 in 2018.

_RastaMouse @rastamouse.me · 13d

I cannot conceive of a scenario where a vulnerability this old goes unknown or unmitigated for this long, where the business is completely absolved of all responsibility. The Senator's letter willfully ignores the failures made by businesses.

_RastaMouse @rastamouse.me · 13d

A CISO doesn't need to understand the technical details of any vulnerability; they pay for security assessments that communicate issues to them in ways they do understand.

_RastaMouse @rastamouse.me · 13d

I can't really wrap my head around it tbh. I find it totally far-fetched that they didn't know this issue existed, and bitching that "MS didn't tell us about it" is deflecting their own negligence.

Raphael Mudge @raphaelmudge.bsky.social · 13d

My case study tries to show: cybersecurity does NOT have systemic ground truth discussion. It's almost all unproductive blame with omission of details to keep some away from blame (e.g., failed compensating controls, facilitating ransomware payments) w/ strategic messaging that leads to offsec blame

_RastaMouse @rastamouse.me · 14d

I'm not victim-blaming, but I've been on that side of the conference door too many times. It's literally the reason why I quit.

_RastaMouse @rastamouse.me · 14d

I do think that Ascension and others that get roasted like this do need to take some accountability though. I'd be willing to bet Kerberoasting was raised in one if not multiple pentest reports prior to the breach, but they chose not to do anything about it.

Raphael Mudge @raphaelmudge.bsky.social · 14d

Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

Reposted by _RastaMouse

Raphael Mudge @raphaelmudge.bsky.social · 14d

Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

_RastaMouse @rastamouse.me · 26d

[BLOG]
I wrote a short post on using the Crystal Palace API from an external Java program.
rastamouse.me/crystal-pala...

Crystal Palace API

Crystal Palace provides two command-line tools, called link and piclink, which are used with a specification file to combine a reflective loader with one or more capabilities (DLLs and/or COFFs). lin...

_RastaMouse @rastamouse.me · 28d

I learned some Java @raphaelmudge.bsky.social !! 😅

_RastaMouse @rastamouse.me · 28d

Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...

Modular PIC C2 Agents (reprise)

A few months ago, I published a post called Modular PIC C2 Agents where I mused about what it could look like to build a C2 agent out of individual (modular) COFFs. The idea was to build a capability ...

_RastaMouse @rastamouse.me · 28d

But if the entire call stack is logged, it would be easy for an analyst at least to see if a call did indeed originate from some unbacked memory, even if a product didn't outright alert on it.

_RastaMouse @rastamouse.me · 29d

I initially wondered if that could be a substitute for needing to fake your call stack to hide the origin of an API call. How many security products would walk the stack and give up as soon as it saw wininet.dll? Or would they would further back and analyse as much of the stack as possible?

_RastaMouse @rastamouse.me · 29d

While smoking my pipe (yes, I do that now), I thought it interesting to keep PICOs seperate so you could stomp them into different modules; e.g. stomp your HTTP C2 PICO into wininet.dll.

_RastaMouse @rastamouse.me · 29d

Playing with @raphaelmudge.bsky.social's latest CP update (it's very cool). I have mixed feelings about merging COFFs though. It simplifies overall development and gives the loader fewer jobs to do, but on the other hand you lose some flexibility about where each "part" goes in memory.

_RastaMouse @rastamouse.me · Sep 11

Very cool!

Raphael Mudge @raphaelmudge.bsky.social · Sep 10

COFFing out the Night Soil

aff-wg.org/2025/09/10/c...

A COFF-focused Crystal Palace update:

* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too

Linker stuff.

COFFing out the Night Soil

I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …

Reposted by _RastaMouse

Raphael Mudge @raphaelmudge.bsky.social · Sep 9

If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.

www.eventbrite.co.uk/e/beacon-25-...

beac0n.org

From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"

The fourth year of Beacon: London's home of hackers, hunters and EDR dodgers.

www.eventbrite.co.uk

Reposted by _RastaMouse

Olaf Hartong @olafhartong.nl · Aug 6

During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.

github.com/olafhartong/...

Slides available here:
github.com/olafhartong/...

GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.

A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR