Community Pavilion
This page is a collection of community blog posts and projects related to the Tradecraft Garden.
For the latest, follow Friends of the Tradecraft Garden on BlueSky.
Projects
- Crystal Kit by Rasta Mouse experiment to replace Cobalt Strike's evasion primitives (Sleepmask/BeaconGate) with Crystal Palace PIC(O)s
(MIT) - Crystal-Loaders by Rasta Mouse A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
(MIT) - execute-assembly PICO by Callum Murphy-Hale implements CLR hosting to execute a .NET assembly in memory.
(GPL) - Hardware Breakpoint PICO by Callum Murphy-Hale Demonstrates how to hook a function with a HWBP
(GPL) - PICO-Implant by pard0p Proof-of-concept C2 implant built using PICOs for modular functionality.
(MIT) - Self-cleaning in-memory PICO loader by pard0p Automatically erases traces and operates entirely in memory for stealthy payload execution.
(MIT)
Shared Libraries
- LibCPLest by Callum Murphy-Hale A shared library for Crystal Palace that allows you to unit test your PICOs.
(GPL) - LibGate by Rasta Mouse resolving and performing direct and/or indirect syscalls (basically a port of RecycledGate)
(MIT) - LibIPC by pard0p shared library for inter-process communication, based on Named Pipes.
(MIT) - LibTP by Rasta Mouse Crystal Palace library for proxying Nt API calls via the Threadpool
(MIT) - LibTPLoadLib by SAERXCIT @ AlmondOffSec Using call gadgets to break the call stack signature used by Elastic on proxying a module load.
(BSD) - LibWinHttp by pard0p simplified WinHTTP wrapper
(MIT)
Blog Posts
- Harvesting the Tradecraft Garden - Part 1 by Rasta Mouse
- Harvesting the Tradecraft Garden - Part 2 by Rasta Mouse
- Modular PIC C2 Agents by Rasta Mouse
- Debugging the Tradecraft Garden by Rasta Mouse
- Modular PIC C2 Agents (reprise) by Rasta Mouse
- Crystal Palace API by Rasta Mouse
- Crystal Kit by Rasta Mouse
- Arranging the PIC Parterre by Rasta Mouse
- Evading Elastic EDR's call stack signatures with call gadgets by SAERXCIT @ AlmondOffSec
Other Related Works
- WMD 4 - PIC or it didn't happen by Dahvid Schloss (Just Hacking Training)
Which license should I use?
While this project started out encouraging the GPL, it switched to the permissive BSD license in October 2025. A permissive license such as BSD, MIT, or Apache 2.0 is recommended for the most interoperability with other parts of the ecosystem.
Our efforts to frame tradecraft as security ground truth and encourage a healthy public commons are best pursued through a highly synergistic and interoperable ecosystem, not the license itself.
Ultimately, you should choose the license that best reflects your goals and wishes for your work. Security conversation-aligned commercial efforts that co-create value with this commons are welcome too.