banner
LightNews
raphaelmudge.bsky.social
Raphael Mudge
@raphaelmudge.bsky.social
260 followers 15 following 200 posts
Riding around in the breeze. Security Thinker. Hacker. USAF Veteran. https://aff-wg.org
aff-wg.org
Posts Media Videos Starter Packs
Pinned
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 13d
Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
6 13
Reposted by Raphael Mudge
calz0n3.bsky.social
Calzone @calz0n3.bsky.social · 10d
I've been obsessed with @raphaelmudge.bsky.social 's Crystal Palace since I learned about it at Beacon earlier this month, so... here's a WIP PICO I wrote to hook functions with hardware breakpoints 👀

github.com/ofasgard/har...
GitHub - ofasgard/hardware-breakpoint-pico: A PICO for Crystal Palace that implements hardware breakpoint hooking.
A PICO for Crystal Palace that implements hardware breakpoint hooking. - ofasgard/hardware-breakpoint-pico
github.com
1 4
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 11d
I saw Sen. Wyden's letter as drawing on offsec insight & inviting convo. I also see his rhetoric as strong. That's why my conclusion caveated: "I don't think MS wants this status quo to sell sec. products". Agree, there's lots of "them" in these problems. My thought exercise was to explore the thems
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
And, for those coming into this thread without having seen the blog post yet, it's this:

Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? Bad successors, precedents, and half fixes?
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
My case study tries to show: cybersecurity does NOT have systemic ground truth discussion. It's almost all unproductive blame with omission of details to keep some away from blame (e.g., failed compensating controls, facilitating ransomware payments) w/ strategic messaging that leads to offsec blame
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
This leads to a blindspot where folks outside of the deeply technical bubbles aren't aware of this stuff and it remains "magic" to them. The volume of easily digestible tool/actor porn drowns this message and prevents IT/CISO/lay persons from having a sense that these are actionable and key issues
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
I think Microsoft's messaging equates their security servicing guidelines with what the points of defense and security thinking need to be. If it's intended functionality, then it's not a security issue ergo, no need to talk about the risks and implications of it--b/c it makes MS eco-system look bad
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
Wouldn't it have a lot more power and weight, if Kerberoasting, pass-the-hash gaps, BadSuccessor lingering primitives came from MS with an honest contextualization over the "problem mostly solved" narratives we get now&historically? Who has more weight to inform the public? MS or a rando researcher?
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
And, Senator Wyden's issue isn't just that RC4 option exists for reasons, but the lack of care Microsoft has taken in warning its customers about these pervasive issues. My case study attempts to expand on this criticism and further illustrate and hypothesize where this comes from...
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
I do think our tendency to make leaps and w/o question accept simple explanations without FULL ground truth (here, presuming a pen test finding already highlighted this issue and ergo, because it's a 11 year old issue--victim is morally responsible) is part of what screws the discourse up.
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
The blog post I wrote though, is most valuable for the case study details and breach analysis thought exercise it demonstrates. I found it a challenge to write, because I'm trying to illustrate a self-defeating "bug" in cybersecurity culture/discourse--it's a sociological look vs. technical
1 2
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
None of the above is to take away from the palatable frustration of successfully demonstrating a risk, contextualizing its importance, and seeing clients ignore it. But, I'm raising this counterpoint to say it's not always the case it's a previously known or contextualized as existing attack path
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
My understanding from @timmedin.bsky.social is RC4 risk is mitigable w/ a properly (service account std differs from user account) strong password. If it was never cracked by a pen tester, because their level of effort vs. adversary effort differed--how would Ascension know it wasn't strong enough?
1 1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
My logic: If it took the actor weeks or months to crack this password, then I presume a routine pentest or even red team assessment wouldn't have demonstrated this acted on attack path and provided the context weight to motivate a risky configuration change away from RC4.
1 1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
I raise this possibility, because @timmedin.bsky.social shared a "rumor" that it took the actors weeks or months to crack the password that allowed them to escalate privileges in the Ascension Breach:

www.youtube.com/watch?v=xYTG...

Feb 2024 was initial access, May 2024 was ransom event. Plausible
1 1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
If the finding in a pentest was RC4 is enabled, without the context of SUCCESSFUL exploitation and it's a BIG environment (131,000 employees) with mission critical components (it's a 100+ hospital system)--certainly the recommendation itself isn't going to have the weight to motivate the action.
1
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 12d
I'll unpack a few thoughts on this...
rastamouse.me
_RastaMouse @rastamouse.me · 13d
I do think that Ascension and others that get roasted like this do need to take some accountability though. I'd be willing to bet Kerberoasting was raised in one if not multiple pentest reports prior to the breach, but they chose not to do anything about it.
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 13d
Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
1 1 4
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 13d
Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
6 13
Reposted by Raphael Mudge
redsiege.com
Red Siege @redsiege.com · 21d
Our CEO @timmedin.bsky.social offers his thoughts on what exactly led to the Ascension breach in this follow-up article from Ars Technica:

arstechnica.com/security/202...

#hacking #infosec #cybersecurity
How weak passwords and other failings led to catastrophic breach of Ascension
A deep-dive into Active Directory and how “Kerberoasting” breaks it wide open.
arstechnica.com
2 4
Reposted by Raphael Mudge
rastamouse.me
_RastaMouse @rastamouse.me · 25d
[BLOG]
I wrote a short post on using the Crystal Palace API from an external Java program.
rastamouse.me/crystal-pala...
Crystal Palace API
Crystal Palace provides two command-line tools, called link and piclink, which are used with a specification file to combine a reflective loader with one or more capabilities (DLLs and/or COFFs). lin...
rastamouse.me
1 5
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 27d
""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""
rastamouse.me
_RastaMouse @rastamouse.me · 27d
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
Modular PIC C2 Agents (reprise)
A few months ago, I published a post called Modular PIC C2 Agents where I mused about what it could look like to build a C2 agent out of individual (modular) COFFs. The idea was to build a capability ...
rastamouse.me
1 1
Reposted by Raphael Mudge
timmedin.bsky.social
Tim Medin @timmedin.bsky.social · 29d
In response to Senator Ron Wyden's letter to the FTC, I have put together my comments on Kerberoasting and RC4.
redsiege.com/blog/2025/09...
redsiege.com
1 3 10
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · 29d
COFFing out the Night Soil

aff-wg.org/2025/09/10/c...

A COFF-focused Crystal Palace update:

* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too

Linker stuff.
COFFing out the Night Soil
I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …
aff-wg.org
5 11
Reposted by Raphael Mudge
timmedin.bsky.social
Tim Medin @timmedin.bsky.social · 29d
The issue isn't as much RC4 as it is bad passwords. While RC4 isn't good, other encryption does *not* prevent Kerberoasting. AES128 and AES256 just slow down the attack by ~100-170x. If the password is really bad, 170x is meaningless.
@matthewdgreen.bsky.social
arstechnica.com/security/202...
Senator blasts Microsoft for making default Windows vulnerable to “Kerberoasting”
Wyden says default use of RC4 cipher led to last year’s breach of health giant Ascension.
arstechnica.com
1 1 4
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · Sep 9
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.

www.eventbrite.co.uk/e/beacon-25-...

beac0n.org

From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Beacon %25
The fourth year of Beacon: London's home of hackers, hunters and EDR dodgers.
www.eventbrite.co.uk
5 7
raphaelmudge.bsky.social
Raphael Mudge @raphaelmudge.bsky.social · Aug 26
One of the sources of objective truth in cybersecurity: hackers/offensive security researchers. But, that voice has become quieter over time, because of blame put on these practitioners in the name of a industry protective "ethics" code that benefits them, silences us, and harms discourse