Keep yourself updated with the latest tactics and techniques using Brute Ratel C4.
Release May 17, 2022
Brute Ratel v1.0 codename Sicilian Defense is now available for download. This release brings several new feature additions and improvements to the Badger and Commander. The release is focused towards the Egress comms of the badger. There will be a follow up blog, post the release which will showcase the external C2 capabilities. A quick summary of the changes can be found in the release notes.
Release January 24, 2022
Brute Ratel v0.9.0 (Checkmate) is biggest release for Brute Ratel till date. This release brings major changes to the Brute Ratel’s loader, reflective DLL, shellcode and the internal APIs being called. As detailed in the previous version, where several syscall injection techniques were added for evasion, but they were limited to the reflective DLL’s loader of BRc4 and the VEH (Vectored Exception Handler) API of Windows. This version uses an updated version of Syscalls for almost everything except a few of those which I was pretty sure would never be hooked since they are too noisy. This release was built after reverse engineering several top tier EDR and Antivirus DLLs. A quick summary of the changes can be found in the release notes.
Release January 08, 2022
Brute Ratel v0.8.0 (Warfare Tactics) is now available for download and provides a major update towards in-memory and network evasion features. This release bring plethora of new capabilities which provide a gateway for in-memory evasion features like self-debugging, unhooking syscalls and hooking your own payload for monitoring via Process Instrumentation. I have listed the technical details of the release below, however a detailed list on the features and bug fixes can be found in the release notes.
Release November 28, 2021
Brute Ratel v0.7.0 (Tsukuyomi) is now available for download and provides a major update towards in-memory evasion and addition of open source tooling. This release also contains addition and conversion of several public BOFs to internal functions of Brute Ratel so that users won’t have to depend on public BOFs which might not necessarily be stable. This also helps to avoid VirtualAlloc API call for BOF allocation altogether which is an added cherry on the top. I have listed the technical details of the release below, however a detailed list on the features and bug fixes can be found in the release notes.
Release September 21, 2021
Brute Ratel v0.6.0 (Resurrection) is now available for download and provides a major update towards the x86 architecture support and various in-memory execution features. This release contains a major rewrite of a portion of the backend which provides better stability, at the same time allowing to make feature additions easier for future releases. I have listed the technical details of the release below, however a detailed list on the features and bug fixes can be found in the release notes.
Release July 03, 2021
Brute Ratel v0.5.0 (Syndicate) is now available for download and provides a major update towards several features and the user interface of Brute Ratel. Commander comes with a new user interface providing a much more granular information on the metadata of the C4 features which can be seen in the figure below.
Research Feature-update June 01, 2021
Reflective DLL injection remains one of the most used techniques for post-exploitation and to get your code executed during initial access. The initial release of reflective DLLs by Stephen Fewer provided a great base for a lot of offensive devs to build their tools which can be executed in memory. Later came in PowerShell and C# reflection which use CLR DLLs to execute managed byte code in memory. C# and PowerShell reflection are both subject to AMSI scan which perform string based detections on the byte code, which is not a lot different from your usual Yara rule detection. Reflective DLLs however provide a different gateway which at a lower level allows you to customize how the payload gets executed in memory. Most EDRs in the past 3-4 years have upgraded their capabilities to detect the default process injection techniques which utilize Stephen Fewer’s reflective loader along with his Remote Process Execution technique using the CreateRemoteThread API.
Release May 07, 2021
This is a minor update to Brute Ratel C4 v0.4.1 (Chaos Theory) which was released a few days back. This update brings a minor feature release and a few UI bug fixes on Commander. The next major release will be focusing on Credential Harvesting. So, I decided to add the process mitigation policy feature as a minor update along with some bug fixes before I move to the next major release.
Release May 02, 2021
Brute Ratel C4 v0.4.1 (Chaos Theory) is now available for download and provides a major update towards process injection, memory allocation, thread execution and Adversary Simulations. Multiple other commands for discovery and lateral movement and graphical changes for ease of use have also been added to the Badger and the Commander UI.
Release March 06, 2021
Brute Ratel C4 v0.3 (Vendetta) is now available for download and provides a major update towards lateral movement and payload generation capabilities. We have officially started providing trial licenses of 7 days now which wasn’t possible earlier due to the way the licensing system was programmed.