Sleep Mask Kit

The Sleep Mask Kit is the source code for the sleep mask function that is executed to obfuscate Beacon, in memory, prior to sleeping. This obfuscation technique may be used to identify Beacon. To defeat this detection, Cobalt Strike is providing an aggressor script to allow the user to modify how the sleep mask function looks in memory. Go to Help -> Arsenal and download the Sleep Mask Kit. Your licence key is required.

Use the included or build.bat script to build the Sleep Mask Kit on Kali Linux or Microsoft Windows. The script builds the sleep mask object file for the three types of Beacons (default, SMB, and TCP) on both x86 and x64 architectures in the sleepmask directory. The default type supports HTTP, HTTPS, and DNS Beacons. You may modify the Sleep Mask Kit to meet your needs.

To make Cobalt Strike use your sleep mask function over the default, load the sleepmask.cna script from the sleepmask directory.

There are some limitations to what may be modified:

  • The executable code size can not exceed 289 bytes. If this occurs the default sleep mask function will be used.
  • Only one function can be defined in the source code file.