Raffi just released an update to Crystal Palace (CP), so I wanted to write about some of the problems that I think it helps solve for PIC development and where it may take us in the future. The philosophy of CP is to build evasion tradecraft as PIC that are| Rasta Mouse
tl;dr - repo here. The Crystal Kit is an experimental project designed to replace Cobalt Strike's Sleepmask. The Sleepmask (and BeaconGate) are key to Beacon's runtime evasion strategy - not only does it mask Beacon's memory, it also acts as an API proxy for Beacon (and BOFs). This allows| Rasta Mouse
Crystal Palace provides two command-line tools, called link and piclink, which are used with a specification file to combine a reflective loader with one or more capabilities (DLLs and/or COFFs). link takes the path to a spec file, the path to a DLL or COFF, and outputs PIC: ./link| Rasta Mouse
A few months ago, I published a post called Modular PIC C2 Agents where I mused about what it could look like to build a C2 agent out of individual (modular) COFFs. The idea was to build a capability by swapping interchangeable parts in and out based on the requirements| Rasta Mouse
The suggested way to get started with Crystal Palace and the Tradecraft Garden projects is through the Windows Subsystem for Linux (WSL) on Windows. If you don't know what WSL is (where have you been!?) the tl;dr is that it's a compatibility layer for running| Rasta Mouse
Abusing GPOs is a tactic that’s been actively in-play for many years. ACL-based path-finding for GPOs was introduced to BloodHound 1.5 in 2018, and other tools have been released such as SharpGPOAbuse which implement various abuse primitives. You may be familiar with this representation, where a machine is| Rasta Mouse
All post-exploitation C2 agents that I'm aware of are implemented as a single rDLL or PIC blob. This means that all of their core logic such as check-in's, processing tasks, sending output, etc, are all mashed into a single executable blob. If an agent is implemented as an rDLL, then| Rasta Mouse
Intro In my previous post, we had a look at the Tradecraft Garden by integrating one of its PIC reflective loaders into a Beacon payload. One of the features I mentioned was that of passing additional arguments variables to Crystal Palace during its linking process. The example I cited was| Rasta Mouse
Intro Raphael Mudge is the original creator of Cobalt Strike and now author/blogger at the Adversary Fan Fiction Writers Guild. His latest project is the Tradecraft Garden, which is a collection of resources centred around the development of position-independent DLL loaders. The tradecraft garden contains two main components: 1.| Rasta Mouse
The CS 4.10 update saw the introduction of the Postex Kit. This was a bit overshadowed by BeaconGate, which was also added in 4.10 (I wrote about this in my last post). The intention of this post is to highlight what this kit is about and how it| Rasta Mouse
I've been looking into Cobalt Strike's UDRL, SleepMask, and BeaconGate features over the last couple of days. It took me some time to understand the relationship between these capabilities, so the aim of this post is to provide a concise overview for those looking into these| Rasta Mouse
I enjoy learning about new programming languages, so I decided to have a look at Crystal - a general purpose, object-oriented language. Unfortunately, the title is complete clickbait - this will just be a short post about my first impressions of the language and some of the things I found| Rasta Mouse
I have been quietly working on some new Kerberos course content, and although it’s not complete yet, I wanted to take a small segue to write this post. My approach to tackling the content required capturing and decrypting legitimate Kerberos traffic on the wire, so that readers could| Rasta Mouse
If you’re an experienced Cobalt Strike user, you will already know what roll the artifact kit plays in customising its binary (executable and DLL) payload artifacts (artefacts for the British). If not, here’s a tl;dr: Beacon is a reflective DLL that needs to be loaded| Rasta Mouse
YARP: Yet Another Reverse Proxy is a .NET library developed by Microsoft designed to run on top of ASP.NET Core infrastructure. The intended use case for YARP is to sit between backend and frontend services to provide reverse proxy and load balancing services. The content of this blog post| Rasta Mouse
Cobalt Strike Aggressor Callbacks | Rasta Mouse
This post is a replacement for my previous 4-part series. What is AMSI? The Antimalware Scan Interface is a set of Windows APIs that allows any application to integrate with an antivirus product (assuming that product acts as an AMSI provider). Windows Defender, naturally, acts as an AMSI provider as| Rasta Mouse
