Brute Ratel C4

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[1][2][3][4][5]

ID: S1063
Associated Software: BRc4
Type: TOOL
Platforms: Windows
Contributors: Sittikorn Sangrattanapitak; Daniel Acevedo, @darmad0, ARMADO
Version: 1.0
Created: 07 February 2023
Last Modified: 17 April 2023

Associated Software Descriptions

Name Description
BRc4

[2]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Brute Ratel C4 can use LDAP queries, net group "Domain Admins" /domain and net user /domain for discovery.[2][5]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.[2][5]

.004 Application Layer Protocol: DNS

Brute Ratel C4 can use DNS over HTTPS for C2.[2][5]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Brute Ratel C4 can use cmd.exe for execution.[2]

Enterprise T1005 Data from Local System

Brute Ratel C4 has the ability to upload files from a compromised system.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.[2]

Enterprise T1482 Domain Trust Discovery

Brute Ratel C4 can use LDAP queries and nltest /domain_trusts for domain trust discovery.[2][5]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.[2]

.002 Hijack Execution Flow: DLL Side-Loading

Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.[2]

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).[2][3]

Enterprise T1105 Ingress Tool Transfer

Brute Ratel C4 can download files to compromised hosts.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.[2]

.008 Masquerading: Masquerade File Type

Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.[2]

Enterprise T1106 Native API

Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.[2][3]

Enterprise T1046 Network Service Discovery

Brute Ratel C4 can conduct port scanning against targeted systems.[2]

Enterprise T1095 Non-Application Layer Protocol

Brute Ratel C4 has the ability to use TCP for external C2.[2]

Enterprise T1027 Obfuscated Files or Information

Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.[2][3]

.007 Dynamic API Resolution

Brute Ratel C4 can call and dynamically resolve hashed APIs.[2]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Brute Ratel C4 can use net group for discovery on targeted domains.[5]

Enterprise T1057 Process Discovery

Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs).[2]

Enterprise T1572 Protocol Tunneling

Brute Ratel C4 can use DNS over HTTPS for C2.[2][5]

Enterprise T1620 Reflective Code Loading

Brute Ratel C4 has used reflective loading to execute malicious DLLs.[3]

Enterprise T1021 Remote Services

Brute Ratel C4 has the ability to use RPC for lateral movement.[2]

.002 SMB/Windows Admin Shares

Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.[2][3][1]

.006 Windows Remote Management

Brute Ratel C4 can use WinRM for pivoting.[2]

Enterprise T1113 Screen Capture

Brute Ratel C4 can take screenshots on compromised hosts.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Brute Ratel C4 can detect EDR userland hooks.[2]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Brute Ratel C4 can decode Kerberos 5 tickets and convert it to hashcat format for subsequent cracking.[2]

Enterprise T1569 .002 System Services: Service Execution

Brute Ratel C4 can create Windows system services for execution.[2]

Enterprise T1204 .002 User Execution: Malicious File

Brute Ratel C4 has gained execution through users opening malicious documents.[2]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Brute Ratel C4 can call NtDelayExecution to pause execution.[2][3]

Enterprise T1102 Web Service

Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.[2]

Enterprise T1047 Windows Management Instrumentation

Brute Ratel C4 can use WMI to move laterally.[2]

References