# Brute Ratel C4 ## Brute Ratel C4 ## **A Customized Command and Control Center for Red Team and Adversary Simulation** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/main.png) ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/mitre.png) ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/smbpivot.png) ### DNS Over HTTPS **Alongside the default HTTPS connections, Badger's DNS over HTTPS provides usability of newly bought domains without the the need of domain fronting or redirector, all the while providing a backup option to be able to switch to other HTTPS profiles on the fly** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/doh_profile.png) ### External C2 Channels **The SMB and TCP badger provide functionality to write custom External C2 Channels over legitimate websites such as Slack, Discord, Microsoft Teams and more** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/external_c2.png) ### Indirect Syscalls **Badger provides various process injection capabilities and an option to switch between WinAPI to NTAPI to Syscalls on the fly** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/proc_inject.png) ### Built-in Debugger To Detect EDR Userland Hooks **Badger provides various techniques to hunt EDR userland hooks and DLL, and avoid triggering them using various syscall obfuscation and debugging techniques** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/detect_hook.png) ### Brute Ratel MITRE graph **Brute Ratel features a seamlessly integrated MITRE graph for all built-in commands providing a user friendly interface for Adversary Simulation activities** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/mitre.png) ### One stop for all your LDAP queries **Ldap Sentinel provides a rich GUI interface to query various ldap queries to the Domain or a Forest. Whether you want to run SPN queries for a specific user or if you want to query large group objects, all can be done effortlessly using prebuilt queries.** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/5.1_ldapsentinel.png) ### Multiple Command and Control Channels **Badger provides mulitple pivot options such as SMB, TCP, WMI, WinRM and managing remote services over RPC.** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/multi_pivot.jpeg) ### Automate Adversary TTPs **Use existing brute ratel modules or build your own using in-memory execute of C-Sharp, BOFs, Powershell Scripts or Reflective DLLs and automate the execution of the commands using the Click Script feature** ![](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Pentest/Red%20Team/C2%20Frameworks/Brute%20Ratel%20C4/click_script.png) ### Various Out-Of-Box Evasion Capabilities | Evasion Capabilities | x64 Support | x86 Support | x86 on Wow64 Support | | ---------------------------------------------- | ----------- | ----------- | -------------------- | | Indirect System Calls | Yes | Yes | Yes | | Hide Shellcode Sections in Memory | Yes | Yes | Yes | | Multiple Sleeping Masking Techniques | Yes | No | No | | Unhook EDR Userland Hooks and Dlls | Yes | No | No | | Unhook DLL Load Notifications | Yes | No | No | | LoadLibrary Proxy for ETW Evasion | Yes | No | No | | Thread Stack Encryption | Yes | Yes | Yes | | Badger Heap Encryption | Yes | Yes | Yes | | Masquerade Thread Stack Frame | Yes | Yes | Yes | | Hardware Breakpoint for AMSI/ETW Evasion | Yes | Yes | Yes | | Reuse Virtual Memory For ETW Evasion | Yes | Yes | Yes | | Reuse Existing Libraries from PEB | Yes | Yes | Yes | | Secure Free Badger Heap for Volatility Evasion | Yes | Yes | Yes | | Advanced Module Stomping with PEB Hooking | Yes | Yes | Yes | | In-Memory PE and RDLL Execution | Yes | Yes | Yes | | In-Memory BOF Execution | Yes | Yes | Yes | | In-Memory Dotnet Execution | Yes | Yes | Yes | | Network Malleability | Yes | Yes | Yes | | Built-In Anti-Debug Features | Yes | Yes | Yes | | Module stomping for BOF/Memexec | Yes | Yes | Yes | #### Want to learn more about our private trainings and services? Dark Vortex provides various trainings related to information security. For a standard list of training programs, visit [Dark Vortex](https://0xdarkvortex.dev/) or feel free to reach us at --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.konstantinsecurity.com/readme/pentest/red-team/c2-frameworks/brute-ratel-c4.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.