What is a Sleep Mask?

When Beacon is configured with a sleep interval, it remains dormant between check-ins to its C2 server. During these dormant periods, the Beacon payload typically sits unencrypted in memory, making it vulnerable to detection. Sleep masks were designed to hide Beacon in memory while it sleeps to evade EDRs, antivirus, and memory forensics tools that search for known signatures.

What is a Sleep Mask?

When Beacon is configured with a sleep interval, it remains dormant between check-ins to its C2 server. During these dormant periods, the Beacon payload typically sits unencrypted in memory, making it vulnerable to detection. Sleep masks were designed to hide Beacon in memory while it sleeps to evade EDRs, antivirus, and memory forensics tools that search for known signatures.

The Sleep Mask Kit

The Sleep Mask Kit enables security testers to have full control over sleep masks to tailor them for specific environments or requirements.

This flexibility allows teams to adapt their tradecraft based on the target environment’s security controls, creating unique implementations that further complicate detection efforts.

Sleep Mask VS

While Sleep Masks require a fairly in-depth understanding of programming, Sleepmask-VS provides a structured framework and examples that simplify the development of custom Sleepmask BOFs.

Operators are empowered to create sleep masks that utilize advanced obfuscation, manipulate memory permissions, integrate with external tools, and more.

Evolution of Sleep Mask Functionality

Introduced in the 4.4 release, the Sleep Mask Kit quickly became a favorite feature and serves as an ideal example of the efficacy of the user community feedback cycle that has helped shape Cobalt Strike. 

When its popularity became evident, immediate and significant enhancements in Cobalt Strike were made in version 4.5, substantially increasing the size limit and adding support for masking Beacon’s heap memory.

In version 4.7, the Sleep Mask Kit was re-engineered to execute as a true Beacon Object File (BOF), providing greater flexibility and granular control. Operators were now able to override the default method called when Beacon enters its sleep state, allowing for the integration of custom sleep functions.

In version 4.10, the Sleep Mask Kit API was overhauled to support BeaconGate, making it possible to configure Beacon to forward its Windows API calls to be executed via the sleep mask. Additionally, Sleepmask-VS was added to simplify custom sleep mask development by providing a repository of examples that demonstrate how to use the BOF-VS template.

Version 4.11 introduced a novel sleep mask that offers out-of-the-box configuration designed to obfuscate Beacon, its heap allocations, and itself. While this automated capability simplifies evasion for many operators, the flexibility to use custom sleep masks remains available for those desiring deeper customization.

Enhance your red team engagements with Sleep Masks

REquest a Quote