Skip to content

Hide Navigation Hide TOC

Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5)

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Brute Ratel C4 - S1063 (75d8b521-6b6a-42ff-8af3-d97e20ce12a5) mitre-tool 1
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) Attack Pattern 2
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2