_RastaMouse
@rastamouse.me
Wannabe security guy. Director @ Zero-Point Security.
I hope Fortra legal don't come after me for this one. I just couldn't resist.
November 24, 2025 at 9:50 PM
I hope Fortra legal don't come after me for this one. I just couldn't resist.
Reposted by _RastaMouse
Cobalt Strike 4.12 is LIVE, complete with a new look for the GUI! Additionally, we're introducing:
- A REST API
- User Defined Command and Control (UDC2)
- New process injection options
- New UAC bypasses
- and more!
Check out the release blog for more details.
https://ow.ly/e61m50Xx1OU
- A REST API
- User Defined Command and Control (UDC2)
- New process injection options
- New UAC bypasses
- and more!
Check out the release blog for more details.
https://ow.ly/e61m50Xx1OU
November 24, 2025 at 7:26 PM
Cobalt Strike 4.12 is LIVE, complete with a new look for the GUI! Additionally, we're introducing:
- A REST API
- User Defined Command and Control (UDC2)
- New process injection options
- New UAC bypasses
- and more!
Check out the release blog for more details.
https://ow.ly/e61m50Xx1OU
- A REST API
- User Defined Command and Control (UDC2)
- New process injection options
- New UAC bypasses
- and more!
Check out the release blog for more details.
https://ow.ly/e61m50Xx1OU
Reposted by _RastaMouse
🔥 #BlackFriday discounts are live🔥
➤ 35% OFF all #KQL courses for threat hunting, detection engineering, and incident response.
#ThreatHunting #DetectionEngineering #DFIR #incidentresponse #CyberSecurity #InfoSec
👉academy.bluraven.io/blackfriday2...
➤ 35% OFF all #KQL courses for threat hunting, detection engineering, and incident response.
#ThreatHunting #DetectionEngineering #DFIR #incidentresponse #CyberSecurity #InfoSec
👉academy.bluraven.io/blackfriday2...
Black Friday
Mega savings on KQL courses for threat hunting, detection engineering, and incident response.
academy.bluraven.io
November 22, 2025 at 1:24 PM
🔥 #BlackFriday discounts are live🔥
➤ 35% OFF all #KQL courses for threat hunting, detection engineering, and incident response.
#ThreatHunting #DetectionEngineering #DFIR #incidentresponse #CyberSecurity #InfoSec
👉academy.bluraven.io/blackfriday2...
➤ 35% OFF all #KQL courses for threat hunting, detection engineering, and incident response.
#ThreatHunting #DetectionEngineering #DFIR #incidentresponse #CyberSecurity #InfoSec
👉academy.bluraven.io/blackfriday2...
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP
The 11.10.25 Crystal Palace release added more new commands in one go than I think I've seen thus far. Many of them seemed really similar at first blush, and it took me a while to get an understanding...
rastamouse.me
November 19, 2025 at 11:04 PM
[BLOG]
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming.
rastamouse.me/picing-aop/
Reposted by _RastaMouse
Cobalt Strike 4.12 is nearly here! Join us at the release party demo to look at the new release, including a modernized GUI, a REST API for research and automation, new process injection options, and more! See you on Nov. 18!
https://ow.ly/WOro50Xqg5M
https://ow.ly/WOro50Xqg5M
November 12, 2025 at 3:05 PM
Cobalt Strike 4.12 is nearly here! Join us at the release party demo to look at the new release, including a modernized GUI, a REST API for research and automation, new process injection options, and more! See you on Nov. 18!
https://ow.ly/WOro50Xqg5M
https://ow.ly/WOro50Xqg5M
Jumping on the bandwagon
November 11, 2025 at 5:22 PM
Jumping on the bandwagon
If only I could predict the lottery with as much accuracy. Lots of new commands to dig into but looking forward to it!
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 11, 2025 at 1:46 PM
If only I could predict the lottery with as much accuracy. Lots of new commands to dig into but looking forward to it!
Reposted by _RastaMouse
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
I love seeing all these libraries come together
November 8, 2025 at 8:51 PM
I love seeing all these libraries come together
Reposted by _RastaMouse
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
GitHub - pard0p/LibWinHttp: LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO...
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTT...
github.com
November 4, 2025 at 9:21 PM
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
github.com/pard0p/LibWi...
Reposted by _RastaMouse
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
GitHub - pard0p/LibIPC: LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. - pard0p/LibIPC
github.com
November 2, 2025 at 11:29 AM
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
Reposted by _RastaMouse
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
October 30, 2025 at 4:24 AM
As new projects, blog posts, and other efforts around TCG show up, I'm listing them here:
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
tradecraftgarden.org/references.h...
I've put together a Friends of the Tradecraft Garden list on BlueSky too:
bsky.app/profile/did:...
Thank you for building, exploring, & teaching w/ this young project 🪴
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
GitHub - rasta-mouse/LibGate: A Crystal Palace shared library to resolve & perform syscalls
A Crystal Palace shared library to resolve & perform syscalls - rasta-mouse/LibGate
github.com
October 29, 2025 at 5:15 PM
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
October 28, 2025 at 1:12 PM
Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future.
rastamouse.me/arranging-th...
rastamouse.me/arranging-th...
Reposted by _RastaMouse
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Tradecraft Garden’s PIC Parterre
The goal of Tradecraft Garden is to separate evasion tradecraft from C2. Part of this effort involves looking for logical lines of separation. And, with PIC, I think we’ve just found one of them. T…
aff-wg.org
October 27, 2025 at 3:48 PM
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
I had this idea for a portal tailored to PIC analysis, where you upload either a .bin or the disassembly output and receive an automated analysis of its tradecraft, with an LLM to ask specific questions.
October 25, 2025 at 8:54 AM
I had this idea for a portal tailored to PIC analysis, where you upload either a .bin or the disassembly output and receive an automated analysis of its tradecraft, with an LLM to ask specific questions.
Did you know that Crystal Palace can merge multiple COFFs straight into a single PIC blob? It means we can produce complete PIC programs from modular parts, without needing a dedicated loader. Plus access to DFR and shared libraries... just lovely.
October 24, 2025 at 6:35 PM
Did you know that Crystal Palace can merge multiple COFFs straight into a single PIC blob? It means we can produce complete PIC programs from modular parts, without needing a dedicated loader. Plus access to DFR and shared libraries... just lovely.
I found it far more enjoyable doing string replacements in Aggressor than in the C2 profile because the feedback loop is so much quicker - no need to stop/start the server after every change.
October 24, 2025 at 3:44 PM
I found it far more enjoyable doing string replacements in Aggressor than in the C2 profile because the feedback loop is so much quicker - no need to stop/start the server after every change.
Classic headline. Most of the article and the podcasty recording don't beat on him so much, thankfully.
"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous."
therecord.media/evilginx-kub...
therecord.media/evilginx-kub...
Evilginx’s creator reckons with the dark side of red-team tools
Polish developer Kuba Gretzky wanted to prove that multi-factor authentication wasn’t foolproof. He succeeded — maybe too well. What happens when a cybersecurity warning becomes the threat itself?
therecord.media
October 23, 2025 at 2:27 PM
Classic headline. Most of the article and the podcasty recording don't beat on him so much, thankfully.
Took me long enough, but finally managed to hook into mscoreei.dll and stack spoof load library calls for clr.dll.
October 22, 2025 at 4:37 PM
Took me long enough, but finally managed to hook into mscoreei.dll and stack spoof load library calls for clr.dll.
Reposted by _RastaMouse
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
GitHub - ofasgard/LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs.
A shared library for Crystal Palace that allows you to unit test your PICOs. - ofasgard/LibCPLTest
github.com
October 21, 2025 at 4:06 PM
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
github.com/ofasgard/Lib...
Found a pretty funny problem with detouring GetProcAddress -it breaks smartinject because it passes invalid pointers to the loader.
October 18, 2025 at 12:56 PM
Found a pretty funny problem with detouring GetProcAddress -it breaks smartinject because it passes invalid pointers to the loader.
Reposted by _RastaMouse
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
a man with glasses looks at a plant in a can that says pepsi on it
ALT: a man with glasses looks at a plant in a can that says pepsi on it
media.tenor.com
October 17, 2025 at 3:00 PM
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
Reposted by _RastaMouse
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com
October 16, 2025 at 4:13 PM
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
Crystal Kit is just too powerful.
October 16, 2025 at 3:16 PM
Crystal Kit is just too powerful.