If anyone wanted to play with (or look at) the source to the latest Crystal Palace, the cpsrc20260303.tgz archive I shipped had contents from an out of date branch. Oops :) Source for the 20260303 release is on TCG now. Validated it builds what shipped. Thanks @shogunlab.bsky.social for heads up

Bypassing EDR in a Crystal Clear Way by x.com/LorenzoMeacci Blog: lorenzomeacci.com/bypassing-ed... Project: github.com/kapla0011/Ka...

Still very much an early WIP, but the Crystal Palace-based Mythic agent I'm working on can be found here: github.com/ofasgard/cel...

I've added some YARA rules to the Crystal-Kit repo, covering both the loader and the tradecraft PICO. I was pleasantly surprised to see the generator target aspects like heap obfuscation, call stack spoofing, CFG bypass, and memory cleanup. github.com/rasta-mouse/...

So, when I was writing my latest blog post, a few typos got in there. It's how you know I wrote it. :) I really wanted to ship that day. The engineering was solid though. I put serious tortured (over-)thinking into the design & impl. decisions. I'm thrilled with the result. vimeo.com/1170068618

[BLOG] Islands of Invariance rastamouse.me/islands-of-i...

A Scalpel, A Hammer, and a Foot Gun aff-wg.org/2026/03/03/a...

Started working on a Mythic agent that uses Crystal Palace to generate its shellcode. So far I've just got it to emit some generic shellcode - it doesn't talk to Mythic yet. I'm hoping to make a fully modular agent that you can patch your tradecraft into when you generate a payload :)

Punching Sideways aff-wg.org/2026/02/23/p...

This is now committed along with a few other changes like using the newer CPL Java API.

I've been playing with a C2 built around PIC modularity for the last few weeks. C2 comms are merged into the agent at link time and output as shellcode. COFFs are transformed into PICOs for postex. Evasion tradecraft can be woven in via spec files. Very scriptable using Sleep.

The Islands of Invariance More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too. aff-wg.org/2026/02/02/t...

Cobalt Strike blog ppost by x.com/joehowwolf on using Crystal Palace to mash-up Page Streaming and Draugr Call Stack Spoofing into a Cobalt Strike UDRL. (Again, I really love the comics. They are perfect).

Georgia Weidman has posted some December 2010 NovaHackers talks, including my first talk on Armitage. x.com/georgiaweidm... Video link: www.youtube.com/watch?v=ZtnK...

A nice workaround against my YARA rule. kuwaitist.github.io/posts/Patchi...

"By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1."

I pushed a 1-change update to Crystal Palace. linkfunc now works with make coff. link (in a make coff context) merges the linked data into the .rdata section. Both are to support the BOF cocktails idea. rastamouse.me/bof-cocktails/

Keeping bin2bin out of the bin aff-wg.org/2026/01/13/k... Another TCG update. +shatter, +regdance, and -O1 MinGW support. Bigger emphasis in this cycle was hardening the binary transformation foundation--which led to some adventures (details in the post)

TCG's vision is to separate tradecraft from capability and encourage an ecosystem of ground truth research. I started w/ UDRLs because the need & interfaces are there. This post applies the same ideas to BOFs. Each working tradecraft/capability pairing is a win. Some caveats (see post), exciting.

I managed it: marketplace.visualstudio.com/items?itemNa...

This is fork&run to execute BOFs in a remote process, same API, and get output back over a pipe--demonstrated with Havoc. Same arch could support explicit injection. Add-in an injector artifact + psexec, could remotely run a BOF without an agent and get output back too. bofexec? :)

To wrap up the year, I've published this Havoc extension that enables remote execution of Beacon Object Files (BOFs) using a PIC loader built with Crystal Palace. github.com/pard0p/Remot...

WinAPI DFR remaps for Crystal Palace to automatically convert Func() to Module$Func(). Goodbye preprocessor macros 👋. github.com/Henkru/cp-df...

My open source projects server is down. I got a ticket in with the provider as I believe it's something on their end. Hopefully a short outage. I'm engaged with it and will post a reply here when it's back up or if there's a pressing and exciting update.

Discovering Tradecraft Garden by x.com/jjavierolmedo hackpuntes.com/posts/explor... A gentle introduction to the project and specifically using the ./link command & running examples. I'm glad the guardrails example (now follow-on loader agnostic) was called out. It's a waiting gem in the corpus.

"emerald-template is a CMake-based project template designed for developing and debugging Reflective DLL Loaders using the Crystal Palace linker." "This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems" github.com/0xTriboulet/...

Interesting project. Reimplements TCG example loaders in Rust and demonstrates Rust patterns for TCG and Crystal Palace. One note: my scope, dev, tests, and unit tests are limited to MinGW. Binary transforms act on patterns gcc generates and moving away from that, you're gonna hit gaps faster.

My PICOs and unit testing library have been updated for the newest version of Crystal Palace and LibTCG :)

Pushed a big update to Crystal Kit. github.com/rasta-mouse/...

Re: the new TCG release. I updated the Simple Hooking example into an empty base architecture and made XOR hooks and Stack Cutting into .spec modules for it: tradecraftgarden.org/simplehook.h... Thanks to redirect and foreach, I was able to layer these modules together to compose a tradecraft too.

LibPicoManager is a unified PICO management framework that provides centralized control over PICOs in memory, enabling dynamic code loading, runtime PICO substitution, and advanced evasion techniques like sleep masking through a single RWX code block. github.com/pard0p/LibPi...

[BLOG] This update solved a big issue I had with merging raw assembly into PIC. I cover the new linkfunc command and the updated addhook command. rastamouse.me/pic-symphony/

Tradecraft Orchestration in the Garden aff-wg.org/2025/12/01/t... An exercise in building base architectures with Crystal Palace .spec files and configuring/layering specific tradecraft modules over them at link time.

[BLOG] Cracking the Crystal Palace - detecting in-memory PIC using Crystal Palace's __resolve_hook() intrinsic. rastamouse.me/cracking-the...

The new version of RTO II is finally available to purchase. www.zeropointsecurity.co.uk/course/red-t...

This iteration leverages the power of @raphaelmudge.bsky.social's Crystal Palace ecosystem to build custom evasion tradecraft, and apply it to Beacon, BOFs and post-ex DLLs.

Cobalt Strike thrives and innovates thanks to community + multi-talented dev/R&D/QA team mixing professional engineers & former users/contributors who know and continue the vision. (Or, just had a big wishlist they wanted to see acted on) <3 the comics. Fantastic work. Thanks for AFF-WG shout out

The work under way: PIC programs (loader, capability) become a reusable & empty base. PIC service modules control bootstrapping. merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics

[BLOG] PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming. rastamouse.me/picing-aop/

Tradecraft Engineering with Aspect-Oriented Programming @rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports. Yes, attach can incept its PIC. aff-wg.org/2025/11/10/t...

I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate. I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁

PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs. github.com/pard0p/PICO-...

"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this." "Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. " Ground truth security research.

4 of the ~37 links in @badsectorlabs.com Last Week in Security are Tradecraft Garden related. LibIPC, LibGate, Arranging the PIC Parterre, & TCG's Community Pavilion. @pard0p.bsky.social dropped a WinHTTP shared library today. blog.badsectorlabs.com/last-week-in... Thank you for building with me.

LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication. github.com/pard0p/LibWi...

LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. github.com/pard0p/LibIPC

As new projects, blog posts, and other efforts around TCG show up, I'm listing them here: tradecraftgarden.org/references.h... I've put together a Friends of the Tradecraft Garden list on BlueSky too: bsky.app/profile/did:... Thank you for building, exploring, & teaching w/ this young project 🪴

I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...

LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...

Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future. rastamouse.me/arranging-th...