I did some garden tending:
Updated the TCG community pavilion. Added some projects and posts. Re-organized the projects section.
I also added a note about ground truth curation vs. provenance for red team use. Something I wrestled with/put some thought into.
tradecraftgarden.org/references.h...
Every shell and terminal emulator ever with 100% confidence that they're doing the right thing for the user: ^[[A^[[A^[[A^[[A^[[A^[[A^[[A
have you seen the new supply chain vuln? don't update tubu. it's literally on heebee. they got poodee's deps. they infiltrated dippy. roll back weeno. disable scripts in ~/.gumpyrc. it's in poob. do not install poob. do not update poob. uninstall poob right now. poob has it in for you.
If you're a C2 engineer, I encourage you to watch @rastamouse.me 's expanding Crystal C2 docs. It's a World-of-tomorrow exhibit for what C2 architecture could be.
Use-time capability composition, radical instrumentation opportunity, & reducing agent's burden
rasta-mouse.gitbook.io/crystalc2/do...
Seconding this! Would help with dockerfiles for Mythic agents :)
Relevant source code is the resolve_loaded_pico() function here:
github.com/ofasgard/cel...
I'm open to suggestions though, this is my first C2 agent!
I wanted to keep all the PICOs in one blob of contiguous memory to make memory masking easier, so I keep the unmapped PICOs in that memory blob. Then I dynamically allocate some memory and call PicoLoad() and PicoEntrypoint() when it's time to invoke them, if that makes sense
Bypassing EDR in a Crystal Clear Way
by x.com/LorenzoMeacci
Blog: lorenzomeacci.com/bypassing-ed...
Project: github.com/kapla0011/Ka...
TrustedSec's whoami BOF from the CS-Situational-Awareness-BOF repository, ported into PICO format at running with celebi.
You can just turn a BOF into a PICO. No one can stop you
First screenshot, displaying the Mythic UI. The register and execute_pico command have been used to upload a PICO, then execute it.
Second screenshot, showing the debug console on the target machine. It displays logs of a successful file upload and PICO execution.
Third screenshot, displaying the PICO actually executing. A messagebox has popped up onscreen.
Got dynamic PICO upload and execution working on Celebi :) both agent and uploaded capability are all written in pure Crystal Palace C, which means this is now starting to vaguely resemble a usable (though opsec-unsafe) implant!
Hello prospective employer, I have various useful skills such as:
- write malware
- eat hot chip
- lie
Wait, where are you going?
Are one-way trusts really one way? @lowercasedrm.bsky.social sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.
offsec.almond.consulting/trust-no-one...
At the moment, I'm working on having a command to upload & map a file into memory (+corresponding cmd to free it)... then separate commands to treat it as either a PICO or BOF and invoke it. Feels like it gives the most control over what the agent is doing, but it might be a bit clunky in practice
My overall goal is for it to be as modular is possible, everything from the tradecraft to the commands represented as a series of PICOs that can be swapped out either at *build time* or at *run time*.
Still a long way to go from this PoC before I get there, though!
Still very much an early WIP, but the Crystal Palace-based Mythic agent I'm working on can be found here:
github.com/ofasgard/cel...
Hiya! Anyone in the SF Bay Area/Remote need a cool programmer for your team? I've been messing with computers for over 30 years now, I can program anything with bits, and I've got a lot of experience with all sorts of different systems, environments, and languages.
wiki.averlong.com/My_Resume
This would be much less doable without some of Crystal Palace's newer features! For example, I'm dynamically generating a linker spec with C2 parameters from Mythic (i.e. payload UUID and callback host). Then I can just... pack them into a byte array and patch them straight into my PIC. It's neat!
Screenshot demonstrating agents checking into Mythic C2
Got a basic checkin working from CPL shellcode with minimal hassle, thanks to @pard0p.bsky.social's useful LibWinHttp library :)
Screenshot demonstrating some Crystal Palace shellcode generated by Mythic, running on a Windows machine and popping a message box.
Screenshot demonstrating the payload UUID from a Mythic payload, patched into a Crystal Palace linker variable.
Started working on a Mythic agent that uses Crystal Palace to generate its shellcode. So far I've just got it to emit some generic shellcode - it doesn't talk to Mythic yet.
I'm hoping to make a fully modular agent that you can patch your tradecraft into when you generate a payload :)
There are variants, I believe.
Two virtual machines in a testing lab, with wallpapers and names based on characters from Over the Garden Wall
If your lab environment doesn't have a dumb theme, what's even the point?
If Minnesota soccer moms in signal chats can figure out compartmentalization and redundancy so can fucking IoT vendors
The Islands of Invariance
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
This pretty much nails what underlies all the hype about sentient AIs.
Cobalt Strike blog ppost by x.com/joehowwolf on using Crystal Palace to mash-up Page Streaming and Draugr Call Stack Spoofing into a Cobalt Strike UDRL.
(Again, I really love the comics. They are perfect).
-hacks4pancakes- • 1d The reason the good faith seniors on here are posting that the junior / mid level market is bad (it is) is because we have watched it crash in real time and a lotta of us are dealing with serious fallout as both hiring managers or mentors. It's genuinely a good faith warning. It's not like, "don't get into the field we love". It's just that for a really long time you could get into cybersecurity with no degree and no IT experience because the demand was so high. And schools, influencers, and parents still play it off that it's like that. That people can work full time remote and make 80k entry salary. It's not. It hasn't been for a couple years. We've been hit by "professionalizing" and oversaturation of graduates. Can you still get in with a sec+, a kali box and a dream? Maybe, if you really meet the right people and get lucky. Pragmatically though, that won't be the case for 99.9% of young people now, and if we care at all we need to counter the "everything is rosy" message people are using to sell boot camps. We are getting hundreds of cybersecurity grads and laid off professionals with work rights applying for positions. How can organizations even take the time to look beyond that at hundreds more juniors with no degree, criminal convictions, a GED, needing a' v sponsor, etc?
You really need to take it seriously and make yourself a top candidate. And these days to be competitive you typically need a bachelors, certs, and some hands on IT work experience. You need a very good professional network. That's not true of every case. People will get lucky. Or they'll have a security clearance or live in the right remote place for an in person only job. It happens. Not often. The best thing we can do is try to enforce that they need to work seriously hard and have solid professional credentials. TLDR we aren't all assholes; some of us are trying to save 20yos from falling for Uncle Bob putting them in a bootcamp to make an easy six figures.
low erth orbit perfec t size for put datacenter in to n\ap! outside very Soft and Comfort datacenter hum soundly in Low Earth Orbit. Put Datacenter in Low Earth Orbit. no problems ever in low earth orbbt because good Temperature and Sun exposure for datacenter hot of radiation.
Absolutely! I'm excited by how much more configurable my projects can be with the new features. I couldn't figure out a user-friendly way to pass in string args at link-time before, so it's awesome that we can now!
Yeah, I realised shortly after posting it that, while neat, patching in each arg separately is fiddly and doesn't really make sense with a variable number of args.
One big string is probably the way to go!
It's a screenshot of a linker spec for Crystal Palace. The screenshot depicts the argument-passing setup described in the post. The screenshot menaces with bands of tourmaline.
Is it cursed to pass arguments to the assembly in execute-assembly-pico using the linker variables introduced in the new Crystal Palace?