Cobalt Strike Creator Drops Tradecraft Garden for Free — The Evasion Playbook That Changes Everything + Video

Listen to this Post

Featured Image

Introduction:

Raphael Mudge, the creator of Cobalt Strike, walked away from the industry in 2021 — only to return and do something no one expected. He is now publishing his entire evasion tradecraft knowledge openly and for free through the Tradecraft Garden project and its companion linker, Crystal Palace. This initiative fundamentally separates evasion techniques from offensive capability, creating a public, testable ground truth that benefits both red teams and blue teams alike. For detection engineers, EDR evaluators, and red team operators, this is not just another tool release — it is a paradigm shift in how the industry approaches tradecraft development and testing.

Learning Objectives:

  • Understand the architectural separation of evasion tradecraft from C2 capability through the Tradecraft Garden and Crystal Palace ecosystem.
  • Master the Crystal Palace linker, its CLI interface, and specification file language for building position-independent code (PIC) and PICO modules.
  • Apply binary transformations, call stack spoofing, sleep masking, and other evasion techniques across Cobalt Strike, Sliver, Mythic, and Adaptix frameworks.
  • Generate high-fidelity YARA rules from invariant instruction patterns for detection engineering.
  • Set up a complete Windows Subsystem for Linux (WSL) development environment for Tradecraft Garden projects.

1. Tradecraft Garden: Separating Evasion from Capability

The Tradecraft Garden is a collection of projects designed to decompose evasion tradecraft into self-contained units of execution, separate from (but usable with) C2 frameworks. The core philosophy is simple yet revolutionary: evasion techniques should exist independently of the capabilities they protect. This separation creates what Raphael Mudge calls “security ground truth” — techniques that are published, testable, and verifiable.

The ecosystem consists of two primary components:

  • Crystal Palace: A linker and linker script language specialized for position-independent code (PIC) tradecraft.
  • The Tradecraft Garden: A corpora of in-memory evasion tradecraft, packaged into capability loaders and shared libraries.

What makes this approach powerful is that every technique is published as a testable ground truth. Offense and defense both benefit because the same techniques that red teams use for evasion can be studied, measured, and detected by blue teams. The project switched from GPL to the permissive BSD license in October 2025, further encouraging widespread adoption and contribution.

  1. Crystal Palace: The Linker That Makes It Work

Crystal Palace is the technical engine behind Tradecraft Garden. It is a linker and linker script language designed specifically for the needs of writing tradecraft as position-independent code. Its features include:

  • Appending multiple resources to PIC and accessing them as linked symbols
  • Running COFFs from position-independent code (the PICO convention)
  • Masking, encrypting, and calculating checksums for resources
  • Assigning user-supplied data to global symbols within PICOs and PIC
  • Separate `.spec` files and programs into callable modules
  • Ergonomic PIC development options for Win32 API resolution
  • Instrumenting PIC/PICO programs with self-hooking tools
  • Link-time optimization, block shuffling, and code mutation
  • Generating high-fidelity YARA rules for invariant parts of PIC and PICO programs

Setting Up Crystal Palace on Windows

The recommended development environment is Windows Subsystem for Linux (WSL). Here is the step-by-step setup:

Step 1: Install WSL

Open an elevated PowerShell prompt and run:

wsl --install

You will need to reboot during this process.

Step 2: Install Required Packages in WSL

Open the Ubuntu application and run:

sudo apt-get update
sudo apt-get install mingw-w64
sudo apt-get install make
sudo apt-get install openjdk-11-jdk
sudo apt-get install zip

Type ‘y’ when prompted.

Step 3: Install Crystal Palace

Clone the repository and run the install script:

git clone https://github.com/rsmudge/tradecraft-garden
cd tradecraft-garden
./install

This creates a `cpl` script in ~/.local/bin. The install script also walks through setting up bash tab completion for `cpl` verbs and `@config.spec` files.

Step 4: Install Windows Terminal (Optional)

Search for “Windows Terminal” in the Microsoft App Store and install it for a tabbed terminal experience.

Step 5: Update Windows Defender Settings

For testing purposes, disable Cloud protection and automatic sample submission, and optionally add exclusions for your Tradecraft Garden folder and `run.x86.exe` / `run.x64.exe` process names.

  1. The cpl CLI: Crystal Palace’s Unified Command Interface

Recent releases have consolidated all Crystal Palace commands behind a single `cpl` CLI interface. The old commands (coffparse, disassemble, link, linkserve, piclink) are now unified under `cpl` with specific verbs:

| Old Command | New Command | Description |

||||

| `coffparse` | `cpl coffparse` | Print parsed COFF object code |
| `disassemble` | `cpl disassemble` | Print disassembled object code |
| `link` | `cpl link` | Link DLL/object to loader |
| `linkserve` | `cpl server` | Start JSON-over-HTTP sidecar service |
| `piclink` | `cpl build` | Build program from `.spec` file |

Basic Usage Examples

To use Crystal Palace on the command line:

cpl build /path/to/loader.spec demo/test.x64.dll out.x64.bin

To run the resulting position-independent DLL loader:

./demo/run.x64.exe out.x64.bin

To generate a YARA rule file:

cpl build -g "out.yar" loader.spec demo/test.x64.dll out.x64.bin

To set a byte array variable:

cpl build KEY=04030201 loader.spec demo/test.x64.dll out.x64.bin

To set template string variables:

cpl build %var="value" loader.spec demo/test.x64.dll out.x64.bin

To run a configuration script before the main specification:

cpl build @config.spec loader.spec demo/test.x64.dll out.x64.bin

4. Specification Files: Crystal Palace’s Linker Script Language

Crystal Palace is driven by specification (.spec) files — the linker’s script language. Here is an example specification file:

 Our specification file. This is a comment

x86:
 load our x86 .o file AND turn it into position-independent code
load "bin/loader.x86.o"
makepic
 handle any x86 pointer fixes we need, with the help of the _caller function
fixptrs "_caller"
 load our Reflective DLL argument AND link it into our PIC as my_data section
push $DLL
link "my_data"
 we're done, export the final blob
export

x64:
load "bin/loader.x64.o"
makepic
push $DLL
link "my_data"
export

Key Specification File Commands:

| Command | Description |

|||

| `load “file.o”` | Load an object file onto the stack |
| `makepic` | Convert the object to position-independent code |
| `push $VAR` | Push a variable onto the stack |
| `link “name”` | Link the top stack item into the program |

| `export` | Export the final blob |

| `addhook “MOD$Func” “hook”` | Register a hook for a module function |
| `attach “MOD$Func” “hook”` | Rewrite calls to go through a hook |
| `dfr “resolver” “method”` | Set dynamic function resolution |
| `call “file.spec” “label”` | Call another specification file |

  1. __transfer(): Tail Call Optimization for Call Stack Spoofing

One of the critical evasion techniques in Tradecraft Garden is the `__transfer` intrinsic — an x64-only linker intrinsic that expands to a tail call at link time. A tail call is a function call that does not return to the parent; instead, it tears down the stack frame of the caller, jumps to the callee, and when complete, the callee returns to the caller’s caller.

The effect is that the caller is not present in the stack. This is crucial for evasion because it removes evidence of the loader from the callstack — a common detection signature for EDR solutions.

Using __transfer()

The contract for `__transfer` is straightforward:

include "tcg.h"

// The target function must be a void function that takes no arguments
void gohere(void);

// Call __transfer to perform a tail call to gohere()
__transfer(gohere);

The prototype for `__transfer` is defined in tcg.h. The Module Stomp example demonstrates `__transfer` in action.

Practical Application: When a reflective loader sets up an ideal execution environment and needs to pass control to the payload, `__transfer` ensures the loader’s stack frame is not visible, making detection significantly harder.

6. API Hashing and Dynamic Function Resolution

Crystal Palace provides sophisticated Dynamic Function Resolution (DFR) capabilities for resolving Win32 APIs without leaving obvious import tables. The DFR feature allows different resolver contracts:

  • ror13: Calls a resolver with ror13 hashes of the desired module and function
  • strings: Calls a resolver with pointers to stack strings
  • djb2: DJB2 hash-based resolution
  • fnv1a: FNV-1a hash-based resolution

Implementation Example

In a Crystal Palace specification file:

 Set default dynamic function resolution with ror13 hashing
dfr "my_resolver" "ror13"

The resolver function must implement the contract to walk the Export Address Table (EAT) and resolve functions by hash.

Why This Matters: API hashing prevents static analysis tools from easily identifying which Windows APIs a payload uses. By resolving APIs dynamically at runtime with hashed names, the binary remains opaque to signature-based detection.

7. Binary Transformations and Code Mutation

Crystal Palace includes powerful binary transformation capabilities that can be applied to COFF capabilities:

  • +mutate: Code mutation for polymorphism
  • +optimize: Link-time optimization
  • +disco: Block shuffling and reordering

Applying Transformations

In a specification file or via the CLI:

cpl build +mutate +optimize loader.spec demo/test.x64.dll out.x64.bin

These transformations change the binary footprint while preserving functionality, making static detection (including hash-based and signature-based EDR) significantly less effective.

YARA Rule Generation

One of the most innovative features is the ability to generate high-fidelity YARA rules for the invariant parts of PIC and PICO programs. This is a double-edged sword:

  • For Blue Teams: Generate YARA rules to detect specific tradecraft patterns
  • For Red Teams: Understand which parts of their code are invariant and could be detected

Usage:

cpl build -g "detection.yar" loader.spec demo/test.x64.dll out.x64.bin
  1. The Crystal Kit Ecosystem: Cobalt Strike, Sliver, Mythic, and Adaptix

The community has built an entire ecosystem on top of Tradecraft Garden. Crystal Kit provides tradecraft modules for multiple C2 frameworks:

  • Cobalt Strike: Load-time, runtime, and post-exploitation evasion modules
  • Sliver: Open-source C2 framework integration
  • Mythic: Cross-platform post-exploitation framework
  • Adaptix: C2 framework with default agent configurations

The goal is to containerize and separate evasion tradecraft from C2s, making it applicable to uses beyond security testing exercises.

What Undercode Say:

  • Key Takeaway 1: Raphael Mudge’s decision to publish Tradecraft Garden for free democratizes evasion tradecraft knowledge. What was once the exclusive domain of elite red teams and well-funded APT groups is now accessible to anyone willing to learn. This levels the playing field for both offense and defense.

  • Key Takeaway 2: The separation of evasion from capability is a architectural breakthrough. By containerizing tradecraft into reusable PICO modules, the industry can move beyond the “build from scratch” mentality and toward a modular, testable, and verifiable approach to security research.

Analysis: The Tradecraft Garden project represents a fundamental shift in how the security community approaches evasion techniques. By publishing everything as “security ground truth,” Mudge has effectively forced the industry to confront a uncomfortable reality: if evasion techniques are publicly documented and testable, then detection must evolve beyond simple signature matching. This is not a gift to attackers — it is a challenge to defenders. The same techniques that enable red team operations also provide blue teams with the precise patterns they need to build better detection. The YARA rule generator is a perfect example: it gives defenders the exact tool they need to detect the very techniques being published. This is security through transparency, not obscurity.

Prediction:

  • +1 The open-sourcing of advanced evasion tradecraft will accelerate the development of next-generation EDR solutions that focus on behavioral detection rather than static signatures.

  • +1 The modular PICO convention will become an industry standard for tradecraft development, enabling faster innovation and better collaboration between red and blue teams.

  • -1 Organizations with immature security programs will struggle to defend against techniques that are now publicly available, leading to a short-term increase in successful breaches.

  • +1 The Tradecraft Garden will spawn a new generation of security researchers who understand evasion at a fundamental level, improving the overall quality of security testing.

  • -1 Threat actors will incorporate these techniques into their toolchains faster than many organizations can deploy detection controls, creating a window of vulnerability.

  • +1 The availability of testable ground truths will enable more rigorous EDR evaluation and certification, ultimately raising the baseline of endpoint protection across the industry.

▶️ Related Video (78% Match):

https://www.youtube.com/watch?v=3F5AUW64HUY

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zahidoverflow File118jpg – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky