In this post, we’ll review a simple technique that we’ve developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon.

Picture this — you’re on a red team engagement and your phish went through, your initial access payload got past EDR, your beacon is now living in memory and calling back to you. The hard part is over, time to do some post-exploitation. You fire up your trusty BOF toolkit and watch the “last” timer tick up indefinitely.

While an initial beacon can go undetected, performing common post-exploitation activities from a Beacon Object File can trigger a memory scan of your process by EDR. This can result in an EDR product finding your Beacon sitting in memory and killing the process.

Cobalt Strike (somewhat) recently introduced the Sleep Mask functionality, which serves to hide Beacon in memory while it’s sleeping. This helps prevent detection by threat hunting tools or memory scanners that look for Beacon signatures or suspicious artifacts like unbacked executable memory. As of Cobalt Strike 4.7, Sleep Mask is implemented as a BOF, which provides the operator with much more control over how Sleep Mask works. This demonstrates that it is possible to have Beacon encrypted and sleeping during BOF execution. However, during normal BOF execution, Beacon is sitting in memory. Let’s look at how to change that.