The work under way: PIC programs (loader, capability) become a reusable & empty base. PIC service modules control bootstrapping. merge and: attach (incept Win32 API calls), redirect (N:1 layering), C modular programming (1:1 interface+implementation) populates that base with tradecraft specifics

[BLOG] PICing AOP - a summary of the latest Crystal Palace commands for Aspect-Oriented Programming. rastamouse.me/picing-aop/

Tradecraft Engineering with Aspect-Oriented Programming @rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports. Yes, attach can incept its PIC. aff-wg.org/2025/11/10/t...

I've updated github.com/pard0p/PICO-... to execute indirect syscalls via LibTP + an enhanced version of LibGate. I hope this helps to demonstrate the utility of shared libraries in Crystal Palace projects 😁

PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs. github.com/pard0p/PICO-...

"I did give a heads up to Elastic before publishing this post. They have taken this technique into account and are working on updates to the detection rules to catch this." "Provided as a Crystal Palace shared library. Format inspired by @rastamouse.me 's LibTP. " Ground truth security research.

4 of the ~37 links in @badsectorlabs.com Last Week in Security are Tradecraft Garden related. LibIPC, LibGate, Arranging the PIC Parterre, & TCG's Community Pavilion. @pard0p.bsky.social dropped a WinHTTP shared library today. blog.badsectorlabs.com/last-week-in... Thank you for building with me.

LibWinHttp is a simplified WinHTTP wrapper designed as a Crystal Palace shared library for implant development. Its primary purpose is to facilitate the development of PICO modules that require HTTP/HTTPS transport layer communication. github.com/pard0p/LibWi...

LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. github.com/pard0p/LibIPC

As new projects, blog posts, and other efforts around TCG show up, I'm listing them here: tradecraftgarden.org/references.h... I've put together a Friends of the Tradecraft Garden list on BlueSky too: bsky.app/profile/did:... Thank you for building, exploring, & teaching w/ this young project 🪴

I've also updated Crystal Loaders to benefit from some of the new CP features github.com/rasta-mouse/...

LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...

Quick blog post that explores some of the problems (that I had) that this update has helped solve, and where I see it potentially going in the future. rastamouse.me/arranging-th...

@raphaelmudge.bsky.social , thanks to Crystal Palace I just published a proof-of-concept of a self-cleaning, in-memory PICO loader. github.com/pard0p/Self-...

Tradecraft Garden’s PIC Parterre Dynamic Function Resolution pt. 2, Say yes to the .bss, and symbol remapping. aff-wg.org/2025/10/27/t...

"Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous." therecord.media/evilginx-kub...

LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities. github.com/ofasgard/Lib...

I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.

Penalty Notice Capita Plc by UK ICO Detailed breach analysis after 2023 ransomware attack. £14M fine. Which standards of care weren't met? * Understaffed SOC (1 analyst/shift) * 58hr SOC response vs. 4.5hr AD takeover * Failure to implement Active Directory tiering. ico.org.uk/media2/pv5nh...

Why plant a Tradecraft Garden? April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00 vimeo.com/1074106659#t...

The new Crystal Palace version is very cool. Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.

My first Crystal Palace shared library! github.com/rasta-mouse/...

I'm legit blown away. We can use DFR with Nt* APIs now!

Weeding the Tradecraft Garden aff-wg.org/2025/10/13/w... Dynamic Function Resolution for PIC(?!?), rewriting x86 PIC to fix pointers, and a shared library concept for PICOs/PIC

[Crystal Kit] Evasion kit for Cobalt Strike. github.com/rasta-mouse/...

I've been obsessed with @raphaelmudge.bsky.social 's Crystal Palace since I learned about it at Beacon earlier this month, so... here's a WIP PICO I wrote to hook functions with hardware breakpoints 👀 github.com/ofasgard/har...

I'll unpack a few thoughts on this...

Analysis of a Ransomware Breach aff-wg.org/2025/09/26/a... Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

Our CEO @timmedin.bsky.social offers his thoughts on what exactly led to the Ascension breach in this follow-up article from Ars Technica: arstechnica.com/security/202... #hacking #infosec #cybersecurity

[BLOG] I wrote a short post on using the Crystal Palace API from an external Java program. rastamouse.me/crystal-pala...

""I'm also interested in looking at the Java API a bit more to see how one might build a merged capability in a more progammatic fashion (imagine a GUI where you configure & build a capability by checking/unchecking "features" to include in the final output).""

In response to Senator Ron Wyden's letter to the FTC, I have put together my comments on Kerberoasting and RC4. redsiege.com/blog/2025/09...

COFFing out the Night Soil aff-wg.org/2025/09/10/c... A COFF-focused Crystal Palace update: * internal COFF normalization & section group merging * Crystal Palace can now export COFF * I added COFF merging to the spec language too Linker stuff.

The issue isn't as much RC4 as it is bad passwords. While RC4 isn't good, other encryption does *not* prevent Kerberoasting. AES128 and AES256 just slow down the attack by ~100-170x. If the password is really bad, 170x is meaningless. @matthewdgreen.bsky.social arstechnica.com/security/202...

If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday. www.eventbrite.co.uk/e/beacon-25-... beac0n.org From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"

@hdm.io A Pirate's Guide to Snake Oil & Security (May 2025) www.runzero.com/resources/pi... ""So I spent most of my life doing vulnerability research in some form... this is an area I've spent a whole too much of my life caring about and I feel like it's not in a great state today""

Server Outage: My OSS project websites (e.g., Tradecraft Garden, Sleep, etc.) are down due to a maintenance window at my VPS host. They're working it.

Jen Easterly writes a post on LinkedIn addressing her position at West Point being rescinded: "A casualty of casually manufactured outrage that drowned out the quiet labor of truth and the steady pulse of integrity." www.linkedin.com/pulse/harder...

I just updated my 25+ year old IRC client, jIRCii. Curious about Aggressor Script's ancestor? It's here. Update improves IRC over SSL/TLS UX, fixes some bugs, tightens some screws, and fixes build to compile on OpenJDK 10+. jircii.dashnine.org/download/ CC @hagiagraphe.bsky.social

Published a small collection of PIC loaders for Cobalt Strike, based on my experiments with Crystal Palace. github.com/rasta-mouse/...

[BLOG] Here's the post - I demonstrate my QoL improvements for working with the TCG codebase. This includes vscode with intellisense support, and producing debug builds for use in WinDbg. rastamouse.me/debugging-th...

@rastamouse.me digging more into Crystal Palace and demonstrates some of the cross-linking possibilities. I'll admit, I got a little nerd-sniped here, because I'm *not* thinking greatly about "the" way to decompose a complex/modular capability (e.g., a C2 agent). Thread below has my thoughts...

I loved this keynote. But, also felt sadness. Where there is tribe and purpose in our uniqueness in the "hacker community"--there's also a capacity & indifference for cruelty to each other too. I liken it to a smiling group with cannibals present. Room goes dark. Someone disappears. No one cares why

I fixed the login required on my PIC fundamentals Vimeo video. In this go around, I'm experimenting with keeping control of my online content (e.g., no GitHub/YouTube, I pay to host it, etc.) Less algorithm spread, but ideally easier to access w/o ads. Back fired this time. I'm learning as I go.

Hooking arbitrary BOFs via @raphaelmudge.bsky.social's Crystal Palace is very cool. I'm going to explore more to see if I can rip out the SleepMask and BeaconGate into their own PICOs, rather than using the official BOF codebases.

Position Independent Code (PIC) Development Crash Course. My July 2025 overview of PIC writing fundamentals. Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video. #GoodLuckAndHappyHacking vimeo.com/1100089433/d...

A debate is when two parties, with different perspectives, are on a shared journey to truth. Bad Faith communication, can look like debate, but is a quest to dominate, silence, win, and shut down examination of uncomfortable truths that benefit one party. consilienceproject.org/the-endgames...

Taking them to the SHITTER: an analysis of vendor abuse of security research in-the-wild aff-wg.org/2025/07/13/t... (There is no benefit modulating my voice for anyone's comfort. This is my fair take, but unapologetic truth. This phenomena has gone unchecked for too long)

Well, latest blog post went live. I tried to schedule for tomorrow, but ended up setting the date to last week. Valid mistake :) So blog subscribers got the content already (although wrong permalink to actual post). So, it's live. I'll come up with something clever to promote it here tomorrow.