At the moment, I'm working on having a command to upload & map a file into memory (+corresponding cmd to free it)... then separate commands to treat it as either a PICO or BOF and invoke it. Feels like it gives the most control over what the agent is doing, but it might be a bit clunky in practice
My overall goal is for it to be as modular is possible, everything from the tradecraft to the commands represented as a series of PICOs that can be swapped out either at *build time* or at *run time*.
Still a long way to go from this PoC before I get there, though!
Still very much an early WIP, but the Crystal Palace-based Mythic agent I'm working on can be found here:
github.com/ofasgard/cel...
Hiya! Anyone in the SF Bay Area/Remote need a cool programmer for your team? I've been messing with computers for over 30 years now, I can program anything with bits, and I've got a lot of experience with all sorts of different systems, environments, and languages.
wiki.averlong.com/My_Resume
This would be much less doable without some of Crystal Palace's newer features! For example, I'm dynamically generating a linker spec with C2 parameters from Mythic (i.e. payload UUID and callback host). Then I can just... pack them into a byte array and patch them straight into my PIC. It's neat!
Screenshot demonstrating agents checking into Mythic C2
Got a basic checkin working from CPL shellcode with minimal hassle, thanks to @pard0p.bsky.social's useful LibWinHttp library :)
Screenshot demonstrating some Crystal Palace shellcode generated by Mythic, running on a Windows machine and popping a message box.
Screenshot demonstrating the payload UUID from a Mythic payload, patched into a Crystal Palace linker variable.
Started working on a Mythic agent that uses Crystal Palace to generate its shellcode. So far I've just got it to emit some generic shellcode - it doesn't talk to Mythic yet.
I'm hoping to make a fully modular agent that you can patch your tradecraft into when you generate a payload :)
There are variants, I believe.
Two virtual machines in a testing lab, with wallpapers and names based on characters from Over the Garden Wall
If your lab environment doesn't have a dumb theme, what's even the point?
If Minnesota soccer moms in signal chats can figure out compartmentalization and redundancy so can fucking IoT vendors
The Islands of Invariance
More than I ever thought I'd write about Yara signatures. Oh also, Crystal Palace has a Yara rule generator too.
aff-wg.org/2026/02/02/t...
This pretty much nails what underlies all the hype about sentient AIs.
Cobalt Strike blog ppost by x.com/joehowwolf on using Crystal Palace to mash-up Page Streaming and Draugr Call Stack Spoofing into a Cobalt Strike UDRL.
(Again, I really love the comics. They are perfect).
-hacks4pancakes- β’ 1d The reason the good faith seniors on here are posting that the junior / mid level market is bad (it is) is because we have watched it crash in real time and a lotta of us are dealing with serious fallout as both hiring managers or mentors. It's genuinely a good faith warning. It's not like, "don't get into the field we love". It's just that for a really long time you could get into cybersecurity with no degree and no IT experience because the demand was so high. And schools, influencers, and parents still play it off that it's like that. That people can work full time remote and make 80k entry salary. It's not. It hasn't been for a couple years. We've been hit by "professionalizing" and oversaturation of graduates. Can you still get in with a sec+, a kali box and a dream? Maybe, if you really meet the right people and get lucky. Pragmatically though, that won't be the case for 99.9% of young people now, and if we care at all we need to counter the "everything is rosy" message people are using to sell boot camps. We are getting hundreds of cybersecurity grads and laid off professionals with work rights applying for positions. How can organizations even take the time to look beyond that at hundreds more juniors with no degree, criminal convictions, a GED, needing a' v sponsor, etc?
You really need to take it seriously and make yourself a top candidate. And these days to be competitive you typically need a bachelors, certs, and some hands on IT work experience. You need a very good professional network. That's not true of every case. People will get lucky. Or they'll have a security clearance or live in the right remote place for an in person only job. It happens. Not often. The best thing we can do is try to enforce that they need to work seriously hard and have solid professional credentials. TLDR we aren't all assholes; some of us are trying to save 20yos from falling for Uncle Bob putting them in a bootcamp to make an easy six figures.
low erth orbit perfec t size for put datacenter in to n\ap! outside very Soft and Comfort datacenter hum soundly in Low Earth Orbit. Put Datacenter in Low Earth Orbit. no problems ever in low earth orbbt because good Temperature and Sun exposure for datacenter hot of radiation.
Absolutely! I'm excited by how much more configurable my projects can be with the new features. I couldn't figure out a user-friendly way to pass in string args at link-time before, so it's awesome that we can now!
Yeah, I realised shortly after posting it that, while neat, patching in each arg separately is fiddly and doesn't really make sense with a variable number of args.
One big string is probably the way to go!
It's a screenshot of a linker spec for Crystal Palace. The screenshot depicts the argument-passing setup described in the post. The screenshot menaces with bands of tourmaline.
Is it cursed to pass arguments to the assembly in execute-assembly-pico using the linker variables introduced in the new Crystal Palace?
My PICOs and unit testing library have been updated for the newest version of Crystal Palace and LibTCG :)
Nothing like a two-week holiday to completely kill your momentum on all of your projects! Not that I'm complaining... but how do I write assembly again? π€
LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.
github.com/ofasgard/Lib...
Yeah, it would be awesome to do a kind of semi-automated controlled detonation like that! So cool for purple teaming.
A screenshot that showcases a PICO being unit tested. One of the test displays a failing assertion.
Anyway, simple little shared library for Crystal Palace to unit test your PICOs - coming soon!
There are two wolves inside of me. One is a grotty little hacker that wants to make stuff that barely works, and the other is a software dev who wants to do β¨Test Driven Developmentβ¨
For example! I want a way to generate adozen almost-identical implants that all use slightly different tradecraft to achieve their goals, then run them all against a VM snapshot with an EDR agent installed and see which ones generate detections and why.
I don't think the ecosystem is quite there yet, but I feel like we're so close to being able to perform fully automated fuzzing of modular tradecraft vs. EDR detections using Crystal Palace...
I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.
A screenshot demonstrating the use of LibTP to proxy calls to NtAllocateVirtualMemory() while invoking a PICO.
Just got a chance to try it out, works like a charm!
This is super cool! I'm guessing it'll only work on x64 due to the assembly used for the callback, right?
And it's released! π
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
