I did some garden tending:
Updated the TCG community pavilion. Added some projects and posts. Re-organized the projects section.
I also added a note about ground truth curation vs. provenance for red team use. Something I wrestled with/put some thought into.
tradecraftgarden.org/references.h...
Great blog post by @rastamouse.me on how to use Crystal Palace with Cobalt Strike's BeaconGate.
The post compares+contrasts this approach with Crystal Kit lessons learned applying 'no knowledge' evasion via a DLL loader.
The Islands of Invariance
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
Playing in the (Tradecraft) Garden of Beacon and finding Eden. In our latest blog, learn how to utilize Crystal Palace, an open source project from Cobalt Strike creator Raphael Mudge, to rapidly combine different capabilities to create novel loaders/PIC tradecraft.
https://ow.ly/zxMP50Y1NQ5
Discovering Tradecraft Garden by x.com/jjavierolmedo
hackpuntes.com/posts/explor...
A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.
Posting this because I’m not sure Steve is on this platform. He’s made a CLion template for Crystal Palace.
github.com/0xTriboulet/...
Tradecraft Orchestration in the Garden
aff-wg.org/2025/12/01/t...
An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.
Crystal agent 👀. CRTO II ?
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this."
"Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. "
Ground truth security research.
LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication.
github.com/pard0p/LibWi...
Tradecraft Garden’s PIC Parterre
Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping.
aff-wg.org/2025/10/27/t...
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
Its growing
Weeding the Tradecraft Garden
aff-wg.org/2025/10/13/w...
Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""
Quick post on how to use the new make coff and merge commands in @raphaelmudge.bsky.social's Crystal Palace.
rastamouse.me/modular-pic-...
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Position Independent Code (PIC) Development Crash Course.
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
ي
Potato exploits have been a cornerstone of local priv esc on Windows for years, but how & why do the inner starchy workings of the potatoes function?
Join @atomicchonk.bsky.social next week to understand Windows access tokens & their use in the Windows environment. ghst.ly/june-web-bsky
This is getting some attention today. Cool shellcode trick from:
My First and Last Shellcode Loader by @dobinrutis.bsky.social at HITB 2024.
H/T x.com/Jean_Maes_19...
Yo this is supercool
When James Forshaw post, you read 🫡
