Skip to content

Hide Navigation Hide TOC

Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 2