Brute Ratel C4

A Customized Command and Control Center for Red Team and Adversary Simulation

DNS Over HTTPS

Alongside the default HTTPS connections, Badger's DNS over HTTPS provides usability of newly bought domains without the the need of domain fronting or redirector, all the while providing a backup option to be able to switch to other HTTPS profiles on the fly

External C2 Channels

The SMB and TCP badger provide functionality to write custom External C2 Channels over legitimate websites such as Slack, Discord, Microsoft Teams and more

Indirect Syscalls

Badger provides various process injection capabilities and an option to switch between WinAPI to NTAPI to Syscalls on the fly

Built-in Debugger To Detect EDR Userland Hooks

Badger provides various techniques to hunt EDR userland hooks and DLL, and avoid triggering them using various syscall obfuscation and debugging techniques

Brute Ratel MITRE graph

Brute Ratel features a seamlessly integrated MITRE graph for all built-in commands providing a user friendly interface for Adversary Simulation activities

One stop for all your LDAP queries

Ldap Sentinel provides a rich GUI interface to query various ldap queries to the Domain or a Forest. Whether you want to run SPN queries for a specific user or if you want to query large group objects, all can be done effortlessly using prebuilt queries.

Multiple Command and Control Channels

Badger provides mulitple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.

Automate Adversary TTPs

Use existing brute ratel modules or build your own using in-memory execute of C-Sharp, BOFs, Powershell Scripts or Reflective DLLs and automate the execution of the commands using the Click Script feature

Various Out-Of-Box Evasion Capabilities

Evasion Capabilities	x64 Support	x86 Support	x86 on Wow64 Support
Indirect System Calls	Yes	Yes	Yes
Hide Shellcode Sections in Memory	Yes	Yes	Yes
Multiple Sleeping Masking Techniques	Yes	No	No
Unhook EDR Userland Hooks and Dlls	Yes	No	No
Unhook DLL Load Notifications	Yes	No	No
LoadLibrary Proxy for ETW Evasion	Yes	No	No
Thread Stack Encryption	Yes	Yes	Yes
Badger Heap Encryption	Yes	Yes	Yes
Masquerade Thread Stack Frame	Yes	Yes	Yes
Hardware Breakpoint for AMSI/ETW Evasion	Yes	Yes	Yes
Reuse Virtual Memory For ETW Evasion	Yes	Yes	Yes
Reuse Existing Libraries from PEB	Yes	Yes	Yes
Secure Free Badger Heap for Volatility Evasion	Yes	Yes	Yes
Advanced Module Stomping with PEB Hooking	Yes	Yes	Yes
In-Memory PE and RDLL Execution	Yes	Yes	Yes
In-Memory BOF Execution	Yes	Yes	Yes
In-Memory Dotnet Execution	Yes	Yes	Yes
Network Malleability	Yes	Yes	Yes
Built-In Anti-Debug Features	Yes	Yes	Yes
Module stomping for BOF/Memexec	Yes	Yes	Yes

Evasion Capabilities

x64 Support

x86 Support

x86 on Wow64 Support

Indirect System Calls

Yes

Hide Shellcode Sections in Memory

Yes

Multiple Sleeping Masking Techniques

Yes

Unhook EDR Userland Hooks and Dlls

Yes

Unhook DLL Load Notifications

Yes

LoadLibrary Proxy for ETW Evasion

Yes

Thread Stack Encryption

Yes

Badger Heap Encryption

Yes

Masquerade Thread Stack Frame

Yes

Hardware Breakpoint for AMSI/ETW Evasion

Yes

Reuse Virtual Memory For ETW Evasion

Yes

Reuse Existing Libraries from PEB

Yes

Secure Free Badger Heap for Volatility Evasion

Yes

Advanced Module Stomping with PEB Hooking

Yes

In-Memory PE and RDLL Execution

Yes

In-Memory BOF Execution

Yes

In-Memory Dotnet Execution

Yes

Network Malleability

Yes

Built-In Anti-Debug Features

Yes

Module stomping for BOF/Memexec

Yes

Want to learn more about our private trainings and services?

Dark Vortex provides various trainings related to information security. For a standard list of training programs, visit Dark Vortex or feel free to reach us at chetan@bruteratel.com

Last updated 1 year ago