Brute Ratel C4
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| BRc4 | (Citation: Palo Alto Brute Ratel July 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Brute Ratel C4 can use LDAP queries, `net group "Domain Admins" /domain` and `net user /domain` for discovery.(Citation: Palo Alto Brute Ratel July 2022)(Citation: Trend Micro Black Basta October 2022) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.(Citation: Palo Alto Brute Ratel July 2022)(Citation: Trend Micro Black Basta October 2022) |
| .004 | Application Layer Protocol: DNS |
Brute Ratel C4 can use DNS over HTTPS for C2.(Citation: Palo Alto Brute Ratel July 2022)(Citation: Trend Micro Black Basta October 2022) |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Brute Ratel C4 can use cmd.exe for execution.(Citation: Palo Alto Brute Ratel July 2022) |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.(Citation: Palo Alto Brute Ratel July 2022) |
| .002 | Hijack Execution Flow: DLL Side-Loading |
Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.(Citation: Palo Alto Brute Ratel July 2022) |
||
| Enterprise | T1562 | .006 | Impair Defenses: Indicator Blocking |
Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.(Citation: Palo Alto Brute Ratel July 2022) |
| .008 | Masquerading: Masquerade File Type |
Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.(Citation: Palo Alto Brute Ratel July 2022) |
||
| Enterprise | T1027 | .007 | Obfuscated Files or Information: Dynamic API Resolution |
Brute Ratel C4 can call and dynamically resolve hashed APIs.(Citation: Palo Alto Brute Ratel July 2022) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Brute Ratel C4 can use `net group` for discovery on targeted domains.(Citation: Trend Micro Black Basta October 2022) |
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Brute Ratel C4 has injected Latrodectus into the Explorer.exe process on comrpomised hosts.(Citation: Rapid7 Fake W2 July 2024) |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: Dark Vortex Brute Ratel C4) |
| .006 | Remote Services: Windows Remote Management |
Brute Ratel C4 can use WinRM for pivoting.(Citation: Palo Alto Brute Ratel July 2022) |
||
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Brute Ratel C4 can detect EDR userland hooks.(Citation: Palo Alto Brute Ratel July 2022) |
| Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
Brute Ratel C4 can decode Kerberos 5 tickets and convert it to hashcat format for subsequent cracking.(Citation: Palo Alto Brute Ratel July 2022) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Brute Ratel C4 can create Windows system services for execution.(Citation: Palo Alto Brute Ratel July 2022) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Brute Ratel C4 has gained execution through users opening malicious documents.(Citation: Palo Alto Brute Ratel July 2022) |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Brute Ratel C4 can call `NtDelayExecution` to pause execution.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022) |
References
- Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
- Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023.
- Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Thomas, W. (2022, October 5). Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground. Retrieved February 6, 2023.
- Elkins, T. (2024, July 24). Malware Campaign Lures Users With Fake W2 Form. Retrieved September 13, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.