Cobalt Strike Evolves: Advanced Evasion with UDRL, SleepMask, and BeaconGate
Cobalt Strike remains one of the most formidable tools for attack simulation and information security testing. In recent years, its functionality has grown significantly more sophisticated with the introduction of features such as the User-Defined Reflective Loader (UDRL), SleepMask, and BeaconGate. Rasta Mouse has detailed the mechanics of these options in his blog.
- The User-Defined Reflective Loader (UDRL) enables operators to replace the standard Beacon loader with a custom one, granting complete control over the DLL loading process. This flexibility allows for advanced manipulations, such as employing unconventional APIs for memory allocation or altering the metadata of the loaded file. However, when UDRL is utilized, settings defined in the C2 profile are disregarded, which may lead to conflicts with other features like SleepMask.
- SleepMask is designed to obfuscate Beacon’s data in memory during idle periods, thereby minimizing the risk of detection. It leverages memory allocation information provided by UDRL to exert more precise control over the masking process and to reduce the likelihood of errors, such as failing to conceal certain data or causing program crashes.
- BeaconGate introduces an additional layer of evasion by proxying API calls through the user-defined SleepMask profile. This feature enables actions such as stack call substitution or the addition of other evasion techniques before the results are returned to Beacon. BeaconGate can also interact with various system calls, enhancing its versatility.
Developers are provided with a suite of tools to customize and integrate these features. For instance, they can define custom system calls or utilize the BeaconGateWrapper framework to handle proxied calls, making Beacon even more adaptable, particularly in the context of developing Beacon Object Files (BOF) modules.
Looking ahead, there is potential for the integration of SleepMask and BeaconGate into a unified system or for extending their support to arbitrary API calls. Such advancements would further enhance functionality while presenting significant challenges for cybersecurity professionals.