Crystal Kit

This repo is a technical and social experiment to explore whether replacing Cobalt Strike's evasion primitives (Sleepmask/BeaconGate) with a Crystal Palace PICO is feasible (or even desirable) for advanced evasion scenarios.

Usage

Disable the sleepmask and stage obfuscations in Malleable C2.

stage {
    set sleep_mask "false";
    set cleanup "true";
    transform-obfuscate { }
}

post-ex {
    set cleanup "true";
    set smartinject "true";
}

Copy crystalpalace.jar to your Cobalt Strike client directory.
Load crystalkit.cna.

Notes

Tested on Cobalt Strike 4.12.
Can work with any post-ex DLL capability.

Name		Name	Last commit message	Last commit date
Latest commit History 24 Commits
loader		loader
local-loader		local-loader
postex-loader		postex-loader
.gitattributes		.gitattributes
.gitignore		.gitignore
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
crystalkit.cna		crystalkit.cna
libtcg.x64.zip		libtcg.x64.zip

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Crystal Kit

Usage

Notes

About

Uh oh!

Languages

License

rasta-mouse/Crystal-Kit

Folders and files

Latest commit

History

Repository files navigation

Crystal Kit

Usage

Notes

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Languages