Calzone

LibCPLTest: A shared library for Crystal Palace that allows you to unit test your PICOs. It's nothing too fancy, just a few helper functions and a macro, but it's helped me to create a consistent framework for testing my PIC capabilities.

github.com/ofasgard/Lib...

Yeah, it would be awesome to do a kind of semi-automated controlled detonation like that! So cool for purple teaming.

A screenshot that showcases a PICO being unit tested. One of the test displays a failing assertion.

Anyway, simple little shared library for Crystal Palace to unit test your PICOs - coming soon!

There are two wolves inside of me. One is a grotty little hacker that wants to make stuff that barely works, and the other is a software dev who wants to do ✨Test Driven Development✨

For example! I want a way to generate adozen almost-identical implants that all use slightly different tradecraft to achieve their goals, then run them all against a VM snapshot with an EDR agent installed and see which ones generate detections and why.

I don't think the ecosystem is quite there yet, but I feel like we're so close to being able to perform fully automated fuzzing of modular tradecraft vs. EDR detections using Crystal Palace...

a man with glasses looks at a plant in a can that says pepsi on it ALT: a man with glasses looks at a plant in a can that says pepsi on it

I want to point out a few things happening with this fledgling Tradecraft Garden ecosystem. Right now things. But, how I see them in context of the overall model this could become.

A screenshot demonstrating the use of LibTP to proxy calls to NtAllocateVirtualMemory() while invoking a PICO.

Just got a chance to try it out, works like a charm!

This is super cool! I'm guessing it'll only work on x64 due to the assembly used for the callback, right?

And it's released! 🎉

github.com/ofasgard/exe...

I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!

A screenshot of a Crystal Palace PICO running. It's invoking a .NET assembly, specifically Rubeus.

Working on a new PICO! This one is an in-memory CLR hoster that uses the same technique as execute-assembly/donut to invoke a .NET assembly without touching the disk.

The new Crystal Palace version is very cool.

Having DFR in your PIC code and just providing a resolver function is so much more ergonomic than having two different mechanisms for resolving APIs! I love it - already updated my HWB PICO to incorporate the new functionality.

CHATGPT: I understand where you're coming from. You worked really hard to get here, and now it's time to enjoy the fruit of your labors.

ISILDUR: So I should keep it? Elrond says I shouldn't

CHATGPT: The ring is precious. Sometimes friends don't have your best interests at heart.

ISILDUR: true

GitHub - ofasgard/hardware-breakpoint-pico: A PICO for Crystal Palace that implements hardware breakpoint hooking. A PICO for Crystal Palace that implements hardware breakpoint hooking. - ofasgard/hardware-breakpoint-pico

I've been obsessed with @raphaelmudge.bsky.social 's Crystal Palace since I learned about it at Beacon earlier this month, so... here's a WIP PICO I wrote to hook functions with hardware breakpoints 👀

github.com/ofasgard/har...