I've been obsessed with @raphaelmudge.bsky.social 's Crystal Palace since I learned about it at Beacon earlier this month, so... here's a WIP PICO I wrote to hook functions with hardware breakpoints 👀 github.com/ofasgard/har...

I'll unpack a few thoughts on this...

Analysis of a Ransomware Breach aff-wg.org/2025/09/26/a... Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

Our CEO @timmedin.bsky.social offers his thoughts on what exactly led to the Ascension breach in this follow-up article from Ars Technica: arstechnica.com/security/202... #hacking #infosec #cybersecurity

[BLOG] I wrote a short post on using the Crystal Palace API from an external Java program. rastamouse.me/crystal-pala...

""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""

In response to Senator Ron Wyden's letter to the FTC, I have put together my comments on Kerberoasting and RC4. redsiege.com/blog/2025/09...

COFFing out the Night Soil aff-wg.org/2025/09/10/c... A COFF-focused Crystal Palace update: * internal COFF normalization & section group merging * Crystal Palace can now export COFF * I added COFF merging to the spec language too Linker stuff.

The issue isn't as much RC4 as it is bad passwords. While RC4 isn't good, other encryption does *not* prevent Kerberoasting. AES128 and AES256 just slow down the attack by ~100-170x. If the password is really bad, 170x is meaningless. @matthewdgreen.bsky.social arstechnica.com/security/202...

If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday. www.eventbrite.co.uk/e/beacon-25-... beac0n.org From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"

@hdm.io A Pirate's Guide to Snake Oil & Security (May 2025) www.runzero.com/resources/pi... ""So I spent most of my life doing vulnerability research in some form... this is an area I've spent a whole too much of my life caring about and I feel like it's not in a great state today""

Server Outage: My OSS project websites (e.g., Tradecraft Garden, Sleep, etc.) are down due to a maintenance window at my VPS host. They're working it.

Jen Easterly writes a post on LinkedIn addressing her position at West Point being rescinded: "A casualty of casually manufactured outrage that drowned out the quiet labor of truth and the steady pulse of integrity." www.linkedin.com/pulse/harder...

I just updated my 25+ year old IRC client, jIRCii. Curious about Aggressor Script's ancestor? It's here. Update improves IRC over SSL/TLS UX, fixes some bugs, tightens some screws, and fixes build to compile on OpenJDK 10+. jircii.dashnine.org/download/ CC @hagiagraphe.bsky.social

Published a small collection of PIC loaders for Cobalt Strike, based on my experiments with Crystal Palace. github.com/rasta-mouse/...

[BLOG] Here's the post - I demonstrate my QoL improvements for working with the TCG codebase. This includes vscode with intellisense support, and producing debug builds for use in WinDbg. rastamouse.me/debugging-th...

@rastamouse.me digging more into Crystal Palace and demonstrates some of the cross-linking possibilities. I'll admit, I got a little nerd-sniped here, because I'm *not* thinking greatly about "the" way to decompose a complex/modular capability (e.g., a C2 agent). Thread below has my thoughts...

I loved this keynote. But, also felt sadness. Where there is tribe and purpose in our uniqueness in the "hacker community"--there's also a capacity & indifference for cruelty to each other too. I liken it to a smiling group with cannibals present. Room goes dark. Someone disappears. No one cares why

I fixed the login required on my PIC fundamentals Vimeo video. In this go around, I'm experimenting with keeping control of my online content (e.g., no GitHub/YouTube, I pay to host it, etc.) Less algorithm spread, but ideally easier to access w/o ads. Back fired this time. I'm learning as I go.

Hooking arbitrary BOFs via @raphaelmudge.bsky.social's Crystal Palace is very cool. I'm going to explore more to see if I can rip out the SleepMask and BeaconGate into their own PICOs, rather than using the official BOF codebases.

Position Independent Code (PIC) Development Crash Course. My July 2025 overview of PIC writing fundamentals. Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video. #GoodLuckAndHappyHacking vimeo.com/1100089433/d...

A debate is when two parties, with different perspectives, are on a shared journey to truth. Bad Faith communication, can look like debate, but is a quest to dominate, silence, win, and shut down examination of uncomfortable truths that benefit one party. consilienceproject.org/the-endgames...

Taking them to the SHITTER: an analysis of vendor abuse of security research in-the-wild aff-wg.org/2025/07/13/t... (There is no benefit modulating my voice for anyone's comfort. This is my fair take, but unapologetic truth. This phenomena has gone unchecked for too long)

Well, latest blog post went live. I tried to schedule for tomorrow, but ended up setting the date to last week. Valid mistake :) So blog subscribers got the content already (although wrong permalink to actual post). So, it's live. I'll come up with something clever to promote it here tomorrow.

Tradecraft Garden: Tilling the Soil aff-wg.org/2025/07/09/t... Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:

Congratulations x.com/c5pider on the release of Havoc Professional. A commercial C2 focused on flexibility and modularity. www.infinitycurve.org/blog/introdu...

Function disco @ The Crystal Palace

Beacon Object Files... Five Years On aff-wg.org/2025/06/26/b... I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.

@rastamouse.me continuing to show how to use TCG loaders with Cobalt Strike. This time, post-ex DLLs, and passing pointers to avoid EAF-like detections. He also goes into how to gather section information to pass to a CS post-ex DLL to enable sleep mask-like obfuscation in DLLs that support it.

One of my Tradecraft Garden recommendations is to try out the samples as-is then try them with something you like. Here @rastamouse.me walks through adopting them to @cobaltstrike.bsky.social and shows how to use my linker to dynamically generate UDRLs via Aggressor Script. Good stuff.

Six years ago, a whole city government got ransomwared and blamed it on the NSA becaise some reporter pointed out the EternalBlue exploit was part of the attacker’s kit …over 2 years after Microsoft pushed patches to prevent its use. arstechnica.com/information-...

A good day for open source tradecraft, packaged in a usable form, getting put into the conversation.

So, here's a little thread on my new open source project: The Tradecraft Garden. tradecraftgarden.org It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders. And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.

Planting a Tradecraft Garden aff-wg.org/2025/06/04/p...

ICYMI it on the heathen platform, I recently launched a new training portal for Zero-Point. Read more here: www.zeropointsecurity.co.uk/blog/new-sit...

Homesteading the Noosphere by Eric S Raymond: ""I then relate that to an analysis of the hacker culture as a `gift culture' in which participants compete for prestige by giving time, energy, and creativity away."" www.catb.org/esr/writings...

Post-ex Weaponization: An Oral History aff-wg.org/2025/04/10/p... A walk-through of some history on post-ex eco-systems used by CS (PowerShell, Reflective DLLs, .NET, and BOFs). Ends with a coffee conversation talking about magician's guilds, security research, and ideas about what's next.

I attended last week's Pall Mall Process conference in Paris. I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).

If I could have my ideal, professionally satisfying cybersecurity career or foothold-level (e.g., 1-3 months a year) involvement. What would make me happy?

I have something of an agenda as it relates to security research and culture. I will pursue that agenda (partially) through heart warming graphics and super-cute analogies. BEWARE! The CUTE is coming.

Change is constant. When we adapt, it's natural to try and keep today's 'what', but it's folly to forget 'why'. 'why' needs to lead.

Years ago, a friend commented that the free, crazy, ranting, swearing, passionate me was someone people connected with at conferences. I lost my that person, because of... shit. I mean well, I think, I learn (from you)--I like discourse. I'm challenging myself to be... myself again. Wish me luck.

Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up. What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it. What does all of this mean?

Got a project or tool you want to release? STOP. Only the purest may publish offensive security research... And, we sense a darkness--you have harmed others... || What it's like navigating industry norms on research ethics and good-faith attempts at appeasement www.youtube.com/watch?v=vulJ...

Probably one of my favorite songs I've stumbled on in the last years. End of the Line by Traveling Wilburys. A good reflection on life, participation, staying 'you' around changing trends, and what's next from a post-middle perspective. www.youtube.com/watch?v=UMVj...

The Security Conversation - The value of offensive security work is fully realized by participation in the security conversation. aff-wg.org/2025/03/13/t...