UDRL and Sleepmask Development

Write your awesome label here.
Introduction
This course teaches students how to apply low-level Windows knowledge and offensive tradecraft in the writing and development of Cobalt Strike's User-Defined Reflective Loader and Sleepmask components.
  • Author: Alex Reid
  • Level: Certified
  • Study time: 9 hours

Frequently Asked Questions

Q: Who is this course for?


A: This is an advanced level course intended for individuals who already have some experience writing code in C and working with the Windows API. Students will almost assuredly already have their own home labs/VMs and be generally familiar with Cobalt Strike. It will explore highly complex topics and require students spend a significant amount of time working in a debugger and with x64 assembly instructions.

Students will explore how the Cobalt Strike UDRL and Sleepmask can be used in conjunction to achieve powerful effects in the realms of memory scanner avoidance and call stack spoofing. Screenshots, descriptions, and code snippets are available throughout the course, but students without prior experience working with offensive tooling code may find it hard to follow along at various points in the ~2500 lines of code that will be written. Full source code downloads are available at the end of each lesson should students get lost or confused about how code should be implemented at any point.

Q: Is there a lab provided?



A: No. Students are responsible for creating their own lab environment according to instructions provided in the material. This will primarily involve needing a Kali Linux VM and a Windows 10 or Windows 11 VM for development and testing purposes.
Q: Is Cobalt Strike required?



A. Yes. This course is inherently tied to the Cobalt Strike UDRL and Sleepmask specification and thus requires students have access to Cobalt Strike for them to be able to follow along with the course material. That being said, there is quite a bit of low-level Windows tradecraft that has applicability outside the Cobalt Strike UDRL/Sleepmask specification.
Q: What version of Cobalt Strike is the course written for?

A: The course was written and updated to support Cobalt Strike 4.12. Breaking changes were introduced to the Sleepmask in 4.12, meaning the Sleepmask written in this course will not work on earlier versions of Cobalt Strike without minor modifications.
Q: What version of Windows does the UDRL/Sleepmask built in this course support?

A: The tooling built in this course is intended to support the earliest version of Windows 10 (1507 released 2015) up through the latest version of Windows 11. Due to the significant utilization of inline assembly and ROP the tooling is limited to x64 builds. This means the UDRL and Sleepmask written in this course does not apply to x86 Beacons.
Instructor

Alex Reid

Alex began his career in offensive security as a member of the United States Navy Red Team, where he worked as a technical lead and advanced capabilities developer.  He has contributed numerous open-source tools and research blogs to the information security community to include Teamsphisher, GraphStrike, Inline-Execute-PE, and MemFiles.

Pages

Policy Pages

Socials

Copyright © 2026