I had the pleasure of giving this talk a London Beacon 2025 conference earlier this year and here are the slides:
A friendly intro to Cobalt Strike’s UDRLs
The aim was to try to give some documentation on how Cobalt Strike beacons work and are staged in memory, as well as how the User-Defined Reflective Loader gives you control over how it gets loaded an executed in memory. My personal take (some people have created their own UDRLs using their own preferences) is to leverage Cobalt Strike’s UDRL-VS project, which is a template you can reuse to build your own tooling in Visual Studio.
Here is the agenda:
- What’s a Cobalt Strike Beacon ?
- UDRL: why ?
- Getting started with UDRL-VS
- Demo
Fortra has published a lot of documentation introducing these concepts in these blog articles which I reference a lot in the talk:
Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
For more about the excellent Beacon conference (held in London), check out the website at beac0n.org !