This repo is a technical and social experiment to explore whether replacing Cobalt Strike's evasion primitives (Sleepmask/BeaconGate) with a Crystal Palace PICO is feasible (or even desirable) for advanced evasion scenarios.
- Disable the sleepmask and stage obfuscations in Malleable C2.
stage {
set sleep_mask "false";
set cleanup "true";
transform-obfuscate { }
}
post-ex {
set cleanup "true";
set smartinject "true";
}
- Copy
crystalpalace.jarto your Cobalt Strike client directory. - Load
crystalkit.cna.
- Tested on Cobalt Strike 4.12.
- Can work with any post-ex DLL capability.