Brute Ratel C4 Blogs

Keep yourself updated with the latest tactics and techniques using Brute Ratel C4.

  • Exception Junction - Where All Exceptions Meet Their Handler

    Research

    This blog is in relation to some of the hurdles I’ve met while debugging and researching various new features for Brute Ratel. Before we get started, let me inform you that this blog is not for beginners. It requires some knowledge about Windows internals, exception handlers, and getting your hands dirty with a debugger, preferably x64dbg. And to add to that, there’s limited to near zero information on the web related to this topic, thus I spent the last 24 hours researching and writing this from scratch while being high on caffeine.

  • PE Reflection: The King is Dead, Long Live the King

    Research Feature-update

    Reflective DLL injection remains one of the most used techniques for post-exploitation and to get your code executed during initial access. The initial release of reflective DLLs by Stephen Fewer provided a great base for a lot of offensive devs to build their tools which can be executed in memory. Later came in PowerShell and C# reflection which use CLR DLLs to execute managed byte code in memory. C# and PowerShell reflection are both subject to AMSI scan which perform string based detections on the byte code, which is not a lot different from your usual Yara rule detection. Reflective DLLs however provide a different gateway which at a lower level allows you to customize how the payload gets executed in memory. Most EDRs in the past 3-4 years have upgraded their capabilities to detect the default process injection techniques which utilize Stephen Fewer’s reflective loader along with his Remote Process Execution technique using the CreateRemoteThread API.

  • Executing Position Independent Shellcode from Object Files in Memory

    Research Feature-update

    Reflective DLL and shellcode injection remain one of the most used techniques for threat actors as well as Red Teamers for post exploitation since the executions happen only in memory and they don’t have to drop anything to disk. However, most of the offsec-tools use shellcode injection only for initial access or for exploitation of vulnerable services and processes. Reflective DLLs and C# executables which can be loaded directly into memory are more often the choice of adversaries for post-exploitation tasks, since writing them is a less tedious task than writing assembly code as we have to manage the stack and registers ourselves in assembly. However, what if we can write the shellcode in a higher language like C? In this blog, we will delve into the dark corners of linkers and compilers to write a position independent code in C and extract it’s shellcode.