Skip to content

rasta-mouse/Crystal-Kit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
postex-udrl
postex-udrl
 
 
udrl
udrl
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
crystalkit.cna
crystalkit.cna
 
 

Repository files navigation

Crystal Kit

This repo is a technical and social experiment to see if replacing Cobalt Strike's evasion primitives (Sleepmask/BeaconGate) with Crystal Palace PIC(O)s is feasible (or even desirable) for advanced evasion scenarios. Also see the accompanying blog post.

Usage

  1. Disable the Sleepmask and stage obfuscations in Malleable C2.
stage {
    set rdll_loader "PrependLoader";
    set sleep_mask "false";
    set cleanup "true";
    transform-obfuscate { }
}

post-ex {
    set cleanup "true";
}
  1. Copy crystalpalace.jar to your Cobalt Strike client directory.
  2. Load crystalkit.cna.

TODO

There are lots of improvements that can be made to this codebase. Some that come to mind include:

  • Add BUD-style structures to track memory allocations.
  • Don't use RWX memory.
  • Add GMA & GPA patching to the postex loader (smartinject is not yet supported in stage for prepended loaders).
  • Add AMSI & ETW bypasses to the postex loader.
  • Add memory freeing code on ExitThread.

About

Evasion for Cobalt Strike

Resources

Readme

License

GPL-3.0 license
Activity

Stars

219 stars

Watchers

2 watching

Forks

30 forks
Report repository

Languages