Community Pavilion
This page is a collection of community blog posts and projects related to the Tradecraft Garden.
For the latest, follow Friends of the Tradecraft Garden on BlueSky.
Projects
- Crystal Kit by Rasta Mouse experiment to replace Cobalt Strike's evasion primitives (Sleepmask/BeaconGate) with Crystal Palace PIC(O)s
(MIT) - Crystal-Loaders by Rasta Mouse A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
(MIT) - emerald-template by 0xTriboulet A cmake template for developing and debugging DLL Loaders linked with Crystal Palace
(Apache 2.0, MIT) - execute-assembly PICO by Callum Murphy-Hale implements CLR hosting to execute a .NET assembly in memory.
(GPL) - Hardware Breakpoint PICO by Callum Murphy-Hale Demonstrates how to hook a function with a HWBP
(GPL) - PICO-Implant by pard0p Proof-of-concept C2 implant built using PICOs for modular functionality.
(MIT) - Self-cleaning in-memory PICO loader by pard0p Automatically erases traces and operates entirely in memory for stealthy payload execution.
(MIT) - Tradecraft Garden but in rust by laachy A port of Tradecraft Garden's examples to Rust and collects lessons learned from the same. Requires a patch to Crystal Palace and deviates from the project's target MinGW C.
(MIT)
Shared Libraries
- LibCPLest by Callum Murphy-Hale A shared library for Crystal Palace that allows you to unit test your PICOs.
(GPL) - LibGate by Rasta Mouse resolving and performing direct and/or indirect syscalls (basically a port of RecycledGate)
(MIT) - LibIPC by pard0p shared library for inter-process communication, based on Named Pipes.
(MIT) - LibPicoManager by pard0p PICO module manager that enables dynamic code loading, module substitution, and sleep masking tradecraft
(MIT) - LibTP by Rasta Mouse Crystal Palace library for proxying Nt API calls via the Threadpool
(MIT) - LibTPGadget by SAERXCIT @ AlmondOffSec LibTP-compatible API updated to use call gadgets
(MIT) - LibTPLoadLib by SAERXCIT @ AlmondOffSec Using call gadgets to break the call stack signature used by Elastic on proxying a module load.
(BSD) - LibWinHttp by pard0p simplified WinHTTP wrapper
(MIT)
Blog Posts
- Harvesting the Tradecraft Garden - Part 1 by Rasta Mouse
- Harvesting the Tradecraft Garden - Part 2 by Rasta Mouse
- Modular PIC C2 Agents by Rasta Mouse
- Debugging the Tradecraft Garden by Rasta Mouse
- Modular PIC C2 Agents (reprise) by Rasta Mouse
- Crystal Palace API by Rasta Mouse
- Crystal Kit by Rasta Mouse
- Arranging the PIC Parterre by Rasta Mouse
- Evading Elastic EDR's call stack signatures with call gadgets by SAERXCIT @ AlmondOffSec
- PICing AOP by Rasta Mouse
- Building custom C2 channels by hooking wininet by CodeX
- Cracking the Crystal Palace by Rasta Mouse
- PIC Symphony by Rasta Mouse
- Exploring Tradecraft Garden by Javier Olmedo
Training
- Red Team Ops II by Daniel Duggan (Zero Point Security) This course provides knowledge and skills to operate against modern defenses. Its load-time, runtime, and post-exploitation evasion modules build on Crystal Kit to add tradecraft to Cobalt Strike.
Which license should I use?
While this project started out encouraging the GPL, it switched to the permissive BSD license in October 2025. A permissive license such as BSD, MIT, or Apache 2.0 is recommended for the most interoperability with other parts of the ecosystem.
Our efforts to frame tradecraft as security ground truth and encourage a healthy public commons are best pursued through a highly synergistic and interoperable ecosystem, not the license itself.
Ultimately, you should choose the license that best reflects your goals and wishes for your work. Security conversation-aligned commercial efforts that co-create value with this commons are welcome too.