Community Pavilion

This page is a collection of community blog posts and projects related to the Tradecraft Garden.

For the latest, follow Friends of the Tradecraft Garden on BlueSky.

Projects

    Capability (Agents and C2s)

• Celebi by Callum Murphy-Hale A WIP Mythic agent that uses Crystal Palace to build its payloads. (GPL)
• Crystal C2 by Rasta Mouse C2 using Crystal Palace to build agents. (MIT)
• PICO-Implant by pard0p Proof-of-concept C2 implant built using PICOs for modular functionality. (MIT)
• TinyC2 by 0xPrimo A TinyC2 framework with Havoc Pro Runtime Channel Switching and Cobalt Strike UDC2 inspired features (MIT)
• Xenon by c0rnbread Mythic Agent that uses Crystal Palace for its UDRLs. (BSD)

    Loaders

• Astral Projection by KuwaitiSt Cobalt Strike UDRL that performs advanced module stomping. (MIT)
• Crystal Kit by Rasta Mouse experiment to replace Cobalt Strike's evasion primitives (Sleepmask/BeaconGate) with Crystal Palace PIC(O)s (MIT)
• Crystal Kit - Mythic Xenon by c0rnbread A small tweak fork of Crystal Kit to work with the Xenon Mythic agent (MIT)
• Crystal-Loaders by Rasta Mouse A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike (MIT)
• Eden by Will Burgess Cobalt Strike UDRL that combines page streaming with a modular call gate (Draugr) (Apache 2.0)
• KaplaStrike by Lorenzo Meacci Cobalt Strike UDRL w/ module overloading, NtContinue entry transfer, stack spoofing, and sleep masking (BSD)
• Reflectra by k1ng0fn0th1ng Modular User-Defined Reflective Loader (UDRL) for controlled DLL execution and evasion research. (MIT)
• Self-cleaning in-memory PICO loader by pard0p Automatically erases traces and operates entirely in memory for stealthy payload execution. (MIT)

    Re-usable PICOs

• execute-assembly PICO by Callum Murphy-Hale implements CLR hosting to execute a .NET assembly in memory. (GPL)
• Hardware Breakpoint PICO by Callum Murphy-Hale Demonstrates how to hook a function with a HWBP (GPL)
• Remote-BOF-Runner by pard0p Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader (MIT)

    Shared Libraries

• LibCPLest by Callum Murphy-Hale A shared library for Crystal Palace that allows you to unit test your PICOs. (GPL)
• LibGate by Rasta Mouse resolving and performing direct and/or indirect syscalls (basically a port of RecycledGate) (MIT)
• LibIPC by pard0p shared library for inter-process communication, based on Named Pipes. (MIT)
• LibPicoManager by pard0p PICO module manager that enables dynamic code loading, module substitution, and sleep masking tradecraft (MIT)
• LibTP by Rasta Mouse Crystal Palace library for proxying Nt API calls via the Threadpool (MIT)
• LibTPGadget by SAERXCIT @ AlmondOffSec LibTP-compatible API updated to use call gadgets (MIT)
• LibTPLoadLib by SAERXCIT @ AlmondOffSec Using call gadgets to break the call stack signature used by Elastic on proxying a module load. (BSD)
• LibWinHttp by pard0p simplified WinHTTP wrapper (MIT)

    Technical Demonstrations

• Atomic BOFs by Daniel Duggan Atomic test units for BOF execution (MIT)
• Tradecraft Garden but in rust by laachy A port of Tradecraft Garden's examples to Rust and collects lessons learned from the same. Requires a patch to Crystal Palace and deviates from the project's target MinGW C. (MIT)

    Utilities

• cp-dfr-defs by Henri Nurmi Dynamic Function Resolution (DFR) definitions for Crystal Palace (MIT)
• crystal-palace-vsc by Rasta Mouse Visual Studio Code (VSC) extension (GitHub) that provides syntax highlighting for Crystal Palace commands (MIT)
• emerald-template by 0xTriboulet A cmake template for developing and debugging DLL Loaders linked with Crystal Palace (Apache 2.0, MIT)

Blog Posts

    2025

• Harvesting the Tradecraft Garden - Part 1 by Rasta Mouse
• Harvesting the Tradecraft Garden - Part 2 by Rasta Mouse
• Modular PIC C2 Agents by Rasta Mouse
• Debugging the Tradecraft Garden by Rasta Mouse
• Modular PIC C2 Agents (reprise) by Rasta Mouse
• Crystal Palace API by Rasta Mouse
• Crystal Kit by Rasta Mouse
• Arranging the PIC Parterre by Rasta Mouse
• Evading Elastic EDR's call stack signatures with call gadgets by SAERXCIT @ AlmondOffSec
• PICing AOP by Rasta Mouse
• Building custom C2 channels by hooking wininet by CodeX
• Cracking the Crystal Palace by Rasta Mouse
• PIC Symphony by Rasta Mouse
• Discovering Tradecraft Garden by Javier Olmedo

    2026

• BOF Cocktails by Rasta Mouse
• Patching Crystal Palace: bypassing detection by KuwaitiSt
• Playing in the (Tradecraft) Garden of Beacon: Finding Eden by Will Burgess
• Islands of Invariance by Rasta Mouse
• Bypassing EDR in a Crystal Clear Way by Lorenzo Meacci
• Sleeping Beauty: Putting Adaptix to Bed with Crystal Palace by Maor Sabag
• Crystal Mask by Rasta Mouse
• Astral Projection: Advanced Module Stomping by KuwaitiSt
• Atomic BOFs by Daniel Duggan

Talks

• Linkers and Loaders: Experiments with Crystal Palace by Will Burgess (beac0n 2025)

Training

• Red Team Ops II by Daniel Duggan (Zero Point Security) This course provides knowledge and skills to operate against modern defenses. Its load-time, runtime, and post-exploitation evasion modules build on Crystal Kit to add tradecraft to Cobalt Strike.

Which license should I use?

While this project started out encouraging the GPL, it switched to the permissive BSD license in October 2025. A permissive license such as BSD, MIT, or Apache 2.0 is recommended for the most interoperability with other parts of the ecosystem.

Our efforts to frame tradecraft as security ground truth and encourage a healthy public commons are best pursued through a highly synergistic and interoperable ecosystem, not the license itself.

Ultimately, you should choose the license that best reflects your goals and wishes for your work. Security conversation-aligned commercial efforts that co-create value with this commons are welcome too.

Important: Diligence, Security Science Discourse, and Red Teaming

TL;DR - Researchers: Thank you! Red Teamers: check the source code AND the code's source.

This page links some works by or built on platforms by anonymous and pseudo-anonymous authors. For Tradecraft Garden's ground truth purpose and blue applications, this isn't an issue and these works demonstrate system truths. To those authors, I thank you for your work and contribution to the public security conversation.

For red teaming, provenance matters and professionals must make thoughtful decisions about which software they run on client networks. This includes technical and provenance diligence. For red teaming, managing provenance risk means knowing who wrote your tools, evaluating their standing as a security professional, and evaluating any applicable local laws around use of software from that origin.

For researchers, it's professionally responsible to apply this same exercise (for your context) if you decide to build on a specific platform.

My listing a project or blog post here is not an endorsement of the author, project, or underlying platform's provenance for your business or geo-political context.