# Brute Ratel C4

## Brute Ratel C4

<https://bruteratel.com/>

## **A Customized Command and Control Center for Red Team and Adversary Simulation**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/main.png)

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/mitre.png)

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/smbpivot.png)

### DNS Over HTTPS

**Alongside the default HTTPS connections, Badger's DNS over HTTPS provides usability of newly bought domains without the the need of domain fronting or redirector, all the while providing a backup option to be able to switch to other HTTPS profiles on the fly**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/doh_profile.png)

### External C2 Channels

**The SMB and TCP badger provide functionality to write custom External C2 Channels over legitimate websites such as Slack, Discord, Microsoft Teams and more**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/external_c2.png)

### Indirect Syscalls

**Badger provides various process injection capabilities and an option to switch between WinAPI to NTAPI to Syscalls on the fly**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/proc_inject.png)

### Built-in Debugger To Detect EDR Userland Hooks

**Badger provides various techniques to hunt EDR userland hooks and DLL, and avoid triggering them using various syscall obfuscation and debugging techniques**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/detect_hook.png)

### Brute Ratel MITRE graph

**Brute Ratel features a seamlessly integrated MITRE graph for all built-in commands providing a user friendly interface for Adversary Simulation activities**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/mitre.png)

### One stop for all your LDAP queries

**Ldap Sentinel provides a rich GUI interface to query various ldap queries to the Domain or a Forest. Whether you want to run SPN queries for a specific user or if you want to query large group objects, all can be done effortlessly using prebuilt queries.**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/5.1_ldapsentinel.png)

### Multiple Command and Control Channels

**Badger provides mulitple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/multi_pivot.jpeg)

### Automate Adversary TTPs

**Use existing brute ratel modules or build your own using in-memory execute of C-Sharp, BOFs, Powershell Scripts or Reflective DLLs and automate the execution of the commands using the Click Script feature**

![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/click_script.png)

### Various Out-Of-Box Evasion Capabilities

| Evasion Capabilities                           | x64 Support | x86 Support | x86 on Wow64 Support |
| ---------------------------------------------- | ----------- | ----------- | -------------------- |
| Indirect System Calls                          | Yes         | Yes         | Yes                  |
| Hide Shellcode Sections in Memory              | Yes         | Yes         | Yes                  |
| Multiple Sleeping Masking Techniques           | Yes         | No          | No                   |
| Unhook EDR Userland Hooks and Dlls             | Yes         | No          | No                   |
| Unhook DLL Load Notifications                  | Yes         | No          | No                   |
| LoadLibrary Proxy for ETW Evasion              | Yes         | No          | No                   |
| Thread Stack Encryption                        | Yes         | Yes         | Yes                  |
| Badger Heap Encryption                         | Yes         | Yes         | Yes                  |
| Masquerade Thread Stack Frame                  | Yes         | Yes         | Yes                  |
| Hardware Breakpoint for AMSI/ETW Evasion       | Yes         | Yes         | Yes                  |
| Reuse Virtual Memory For ETW Evasion           | Yes         | Yes         | Yes                  |
| Reuse Existing Libraries from PEB              | Yes         | Yes         | Yes                  |
| Secure Free Badger Heap for Volatility Evasion | Yes         | Yes         | Yes                  |
| Advanced Module Stomping with PEB Hooking      | Yes         | Yes         | Yes                  |
| In-Memory PE and RDLL Execution                | Yes         | Yes         | Yes                  |
| In-Memory BOF Execution                        | Yes         | Yes         | Yes                  |
| In-Memory Dotnet Execution                     | Yes         | Yes         | Yes                  |
| Network Malleability                           | Yes         | Yes         | Yes                  |
| Built-In Anti-Debug Features                   | Yes         | Yes         | Yes                  |
| Module stomping for BOF/Memexec                | Yes         | Yes         | Yes                  |

#### Want to learn more about our private trainings and services?

Dark Vortex provides various trainings related to information security. For a standard list of training programs, visit [Dark Vortex](https://0xdarkvortex.dev/) or feel free to reach us at <chetan@bruteratel.com>