Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)	mitre-tool	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	2
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2