Skip to content

S1063 Brute Ratel C4

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.23154

Item Value
ID S1063
Associated Names BRc4
Type TOOL
Version 1.0
Created 07 February 2023
Last Modified 17 April 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
BRc4 3

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Brute Ratel C4 can use LDAP queries, net group "Domain Admins" /domain and net user /domain for discovery.34
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.34
enterprise T1071.004 DNS Brute Ratel C4 can use DNS over HTTPS for C2.34
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Brute Ratel C4 can use cmd.exe for execution.3
enterprise T1005 Data from Local System
Brute Ratel C4 has the ability to upload files from a compromised system.3
enterprise T1140 Deobfuscate/Decode Files or Information Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.3
enterprise T1482 Domain Trust Discovery Brute Ratel C4 can use LDAP queries and nltest /domain_trusts for domain trust discovery.34
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.3
enterprise T1574.002 DLL Side-Loading Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.3
enterprise T1562 Impair Defenses -
enterprise T1562.006 Indicator Blocking Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).31
enterprise T1105 Ingress Tool Transfer
Brute Ratel C4 can download files to compromised hosts.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.3
enterprise T1036.008 Masquerade File Type Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.3
enterprise T1106 Native API Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.31
enterprise T1046 Network Service Discovery Brute Ratel C4 can conduct port scanning against targeted systems.3
enterprise T1095 Non-Application Layer Protocol Brute Ratel C4 has the ability to use TCP for external C2.3
enterprise T1027 Obfuscated Files or Information Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.31
enterprise T1027.007 Dynamic API Resolution Brute Ratel C4 can call and dynamically resolve hashed APIs.3
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Brute Ratel C4 can use net group for discovery on targeted domains.4
enterprise T1057 Process Discovery Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs).3
enterprise T1572 Protocol Tunneling Brute Ratel C4 can use DNS over HTTPS for C2.34
enterprise T1620 Reflective Code Loading Brute Ratel C4 has used reflective loading to execute malicious DLLs.1
enterprise T1021 Remote Services Brute Ratel C4 has the ability to use RPC for lateral movement.3
enterprise T1021.002 SMB/Windows Admin Shares Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.312
enterprise T1021.006 Windows Remote Management Brute Ratel C4 can use WinRM for pivoting.3
enterprise T1113 Screen Capture Brute Ratel C4 can take screenshots on compromised hosts.3
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Brute Ratel C4 can detect EDR userland hooks.3
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Brute Ratel C4 can decode Kerberos 5 tickets and convert it to hashcat format for subsequent cracking.3
enterprise T1569 System Services -
enterprise T1569.002 Service Execution
Brute Ratel C4 can create Windows system services for execution.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Brute Ratel C4 has gained execution through users opening malicious documents.3
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Brute Ratel C4 can call NtDelayExecution to pause execution.31
enterprise T1102 Web Service Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.3
enterprise T1047 Windows Management Instrumentation Brute Ratel C4 can use WMI to move laterally.3

References