_RastaMouse (@rastamouse.me)

Crystal-Kit/crystalkit.yar at main · rasta-mouse/Crystal-Kit Evasion kit for Cobalt Strike. Contribute to rasta-mouse/Crystal-Kit development by creating an account on GitHub.

I've added some YARA rules to the Crystal-Kit repo, covering both the loader and the tradecraft PICO. I was pleasantly surprised to see the generator target aspects like heap obfuscation, call stack spoofing, CFG bypass, and memory cleanup.

github.com/rasta-mouse/...

05.03.2026 18:24 👍 5 🔁 1 💬 0 📌 0

Breaking content signatures with 'ised' This is "Breaking content signatures with 'ised'" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.

So, when I was writing my latest blog post, a few typos got in there. It's how you know I wrote it. :)

I really wanted to ship that day. The engineering was solid though. I put serious tortured (over-)thinking into the design & impl. decisions. I'm thrilled with the result.

vimeo.com/1170068618

05.03.2026 15:44 👍 7 🔁 1 💬 1 📌 0

[BLOG]
Islands of Invariance
rastamouse.me/islands-of-i...

04.03.2026 22:07 👍 4 🔁 2 💬 0 📌 0

A scalpel, a hammer, and a foot gun Last month, I released a Yara signature generator for Crystal Palace. AKA, an invariant content observation tool. I then used the feature to document the physics of various content-signature parame…

A Scalpel, A Hammer, and a Foot Gun

aff-wg.org/2026/03/03/a...

04.03.2026 01:06 👍 5 🔁 3 💬 0 📌 0

Havoc Professional Release The initial release of the long awaited Havoc Professional and the Kaine-kit is finally here and new team member.

Havoc Professional Finally Released! 🕸️🕷️

I'm excited to finally share the work my team and I have put in over the past year. This is just the beginning of what we have planned.

www.infinitycurve.org/blog/release

24.02.2026 01:50 👍 5 🔁 4 💬 0 📌 0

Punching Sideways While I no longer work in the C2 space and I don’t consider myself up on the operations side of red teaming, I watch the space closely to see where it’s going. In this post, I want to write about a…

Punching Sideways

aff-wg.org/2026/02/23/p...

23.02.2026 13:06 👍 11 🔁 4 💬 0 📌 0

This is now committed along with a few other changes like using the newer CPL Java API.

21.02.2026 16:11 👍 4 🔁 2 💬 0 📌 0

Working on a small improvement to Crystal Kit - masking heap memory.

20.02.2026 15:49 👍 6 🔁 0 💬 0 📌 1

I like Sleep

18.02.2026 15:27 👍 1 🔁 0 💬 1 📌 0

MAE - Malwareless Adversary Emulation Advanced red team training — 13 modules on adversary emulation without traditional malware. Learn the techniques that bypass modern defences.

Today’s the day, finally got around to publishing my red team course, with video, written and self spin up labs. lms.zsec.red

14.02.2026 11:09 👍 4 🔁 5 💬 0 📌 1

Bypassing Administrator Protection by Abusing UI Access - Project Zero In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exi...

Part 2 of @tiraniddo.dev’s Windows Administrator Protection journey is here!

projectzero.google/2026/02/wind...

12.02.2026 19:14 👍 5 🔁 5 💬 1 📌 0

I've been playing with a C2 built around PIC modularity for the last few weeks. C2 comms are merged into the agent at link time and output as shellcode. COFFs are transformed into PICOs for postex. Evasion tradecraft can be woven in via spec files. Very scriptable using Sleep.

09.02.2026 16:39 👍 7 🔁 2 💬 1 📌 0

Next week at WWHF Mile High I'll present a major update to roadrecon, with some awesome features I wanted to add for a while! Friday 9am in track 1 for those attending 😀

06.02.2026 12:16 👍 9 🔁 5 💬 0 📌 0

The Islands of Invariance Crystal Palace now has a Yara rule generator. In this blog post, I’ll walk you through the design and evaluation of this feature. rule PageStream_rDLL_03495de1 { meta: description = “PageStre…

The Islands of Invariance

More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.

aff-wg.org/2026/02/02/t...

02.02.2026 17:03 👍 7 🔁 4 💬 0 📌 0

Practical Threat Hunting for Beginners Learn the core knowledge and practical skills required to perform effective threat hunting in real-world environments.

I've released my new course:
Practical Threat Hunting for Beginners

Similar courses: $$$$
This course: $$

academy.bluraven.io/course/pract...

#ThreatHunting #DetectionEngineering

27.01.2026 22:12 👍 3 🔁 2 💬 0 📌 0

Playing in the (Tradecraft) Garden of Beacon and finding Eden. In our latest blog, learn how to utilize Crystal Palace, an open source project from Cobalt Strike creator Raphael Mudge, to rapidly combine different capabilities to create novel loaders/PIC tradecraft.

https://ow.ly/zxMP50Y1NQ5

23.01.2026 15:45 👍 6 🔁 4 💬 0 📌 1

A nice workaround against my YARA rule.
kuwaitist.github.io/posts/Patchi...

22.01.2026 13:55 👍 9 🔁 2 💬 0 📌 0

Nice!

15.01.2026 10:10 👍 3 🔁 0 💬 0 📌 0

v0.0.2 of crystal-palace-vsc is up
marketplace.visualstudio.com/items?itemNa...

14.01.2026 09:48 👍 3 🔁 0 💬 0 📌 0

In addition to some new commands, this post goes into a lot of details regarding Crystal Palace's binary transformations. If you're interested in how it does some things under-the-hood, give this a read.

13.01.2026 22:48 👍 2 🔁 0 💬 0 📌 0

Keeping bin2bin out of the bin Happy New Year. I’ve got another Crystal Palace and Tradecraft Garden update for you. My focus this development cycle was making Crystal Palace’s binary transformation framework more robust. …

Keeping bin2bin out of the bin

aff-wg.org/2026/01/13/k...

Another TCG update. +shatter, +regdance, and -O1 MinGW support.

Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)

13.01.2026 21:05 👍 10 🔁 1 💬 0 📌 2

BOF Cocktails Crystal Palace is a PIC framework that can be used to write, among other things, prepended DLL loaders. The philosophy of the project is to apply evasion tradecraft (also written as PIC), to a capabil...

[BLOG]
BOF Cocktails
rastamouse.me/bof-cocktails/

03.01.2026 23:04 👍 5 🔁 1 💬 0 📌 1

Pokemon Yellow Ash% :: 2:27 IGT :: TAS YouTube video by avatar00000

My alter ego has posted a TAS for the Pokémon Yellow Ash% route. Check it out if you like a bit of retro-gaming.
www.youtube.com/watch?v=SqFU...

03.01.2026 09:53 👍 1 🔁 0 💬 0 📌 0

Works!

02.01.2026 01:01 👍 1 🔁 0 💬 0 📌 0

I managed it: marketplace.visualstudio.com/items?itemNa...

02.01.2026 00:34 👍 4 🔁 3 💬 0 📌 0

Sure, makes sense. You can't just leave the APIs in this scenario though, because Crystal Palace throws the error "Function xxx is not in MODULE$Function format". Maybe we need a new command to skip relocating specified functions? Or maybe some other way to deal with it that fits with your plans.

02.01.2026 00:10 👍 1 🔁 0 💬 1 📌 0

The idea was to merge hooks into a BOF, 'make coff', then run via beacon_inline_execute. I don't think we want to attach the Beacon BOF APIs to funcs within the merged COFF though. What would you attach them to? Can't we just leave/ignore them so Beacon can link them to the proper internal funcs?

01.01.2026 23:35 👍 2 🔁 0 💬 1 📌 0

I've written a VSCode extension that provides syntax highlighting for Crystal Palace spec files. I'll throw it up on the marketplace if I can figure out how 😅

01.01.2026 20:50 👍 5 🔁 0 💬 0 📌 1

How are we handling BeaconOutput, BeaconPrintf, etc with a COFF object?

01.01.2026 14:52 👍 1 🔁 0 💬 1 📌 0

GitHub - pard0p/Remote-BOF-Runner: Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace. Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace. - pard0p/Remote-BOF-Runner

To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace.

github.com/pard0p/Remot...

31.12.2025 11:20 👍 4 🔁 2 💬 0 📌 1

_RastaMouse

Latest posts by _RastaMouse @rastamouse.me