Brute Ratel C4 is a Customizable Command & Control Center for Advanced Red Team and Adversary Simulation operations. It can simulate different stages of an attacker killchain and provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms.
The idea of building a C4 started back in 2017, when I was working as a Security Researcher at Network Intelligence Consulting and I was tasked to simulate various attacks and build a threat hunting platform using ELK-stack. I initially used Metasploit for most of the tasks, but using Open-Source tools meant that we would have to either stick to the limited capabilities of the tool or add additional features on our own. I thus decided to use other Open-Source tools on GitHub to map different MITRE attack techniques of process injections like CreateFileMapping and DotNet injections which became very famous in 2017. In 2018 I migrated internally to the Offensive department where I started leading the Red Team Operations, but using Metasploit for Red Teams meant that we had heavy chances of being detected, even though the execution was in memory. Don’t get me wrong, Metasploit is a great POC tool and nothing beats the sophistication of its exploitation and remote tooling mechanisms, but it still lacked a lot of things that would be required to become a good APT-simulation tool. Metasploit payloads did not support basic features like Sleep and Jitter, and not to mention the extremely laggy UI of the Metasploit Pro. All of these roadblocks gave me a kick start to combine all Open-Source tools and techniques and build a common Attack Simulation framework that can be used to execute all types of attacks as required. I hacked through C, Assembly and Python3 code and built a C2 named ‘Inferno’ which I used during my initial Red Team Engagements, which used lots and lots of WinAPIs to evade command executions on the endpoint. API hooking was still very new to EDRs back then and it simply worked.
I used to build simple C2s for #RedTeam projects. Never thought that building an enterprise level C2 Server+payload+client single handedly would be this much fun. Added new feature to convert a bot to ransomware. Next milestone -> Convert Botnet to GraphView#AdversarySimulation pic.twitter.com/aD3Dl76Tal— Paranoid Ninja (@NinjaParanoid) June 10, 2019
During mid 2019, I joined Mandiant/FireEye as a Senior Red Team Consultant where I was first introduced to CobaltStrike. We used to be heavily dependent on CobaltStrike for most of the tasks and I quickly realized how great CobaltStrike was. CobaltStrike has an extremely stable beacon feature and had multiple process injection techniques embedded with it. The C2-Profile was great and clumsy at the same time since it can be configured to do a lot of things, but writing a decent custom profile meant you have to understand the Sleep language which was built by Raphael Mudge himself. But slowly as I progressed, I realised that CobaltStrike had its limitations too. CobaltStrike was heavily signatured, especially the powerpick feature which hosted PowerShell scripts locally on the remote beacon and then download it using IEX. CobaltStrike also did not have on-the-go features like changing host headers for payloads which were required for Domain Fronting. In order to do this, you would have to stop the server, change the C2-Profile, and start the server again. There was a similar bug for changing the named-pipes for SMB beacon. Another feature which I missed most was DNS Over HTTPS (DOH) which CS did not fully support. Using DOH from SpiderLabs meant that I had to enable External-C2s, and DOH did not support the Sleep feature of the beacon fully. Even the SMB beacon had a bad bug that it could not change the Named PIPE name once they have been configured in the C2 profile. Killing a C2-server mid-engagement to change the Named PIPE was a big no-no. More importantly, Raphael Mudge did not sell CobaltStrike outside the US territory.
I ended up realizing that in the current InfoSec community, there are very few people who built C2. And the people who built the Open-Source C2s, either could not dedicate their full time to build and provide all the features to the C2, or lost motivation in between and stopped providing support altogether. Most of the Organizations who build defensive EDRs, don’t even support the offensive community, let alone help or sponsor them.
I’ve seen several experienced people in the InfoSec community who condemn building offensive tools, and you will realize that these are the same people who have hardly contributed anything to Open-Source. The recent attacks on Cyber Security companies proves that a lot of companies use Open-Source tools internally, but they don’t support the Offsec-Devs from the outside.
“There’s too much hate in our shinobi world.. I’m always thinking that I want to do something about this hatred… But I’m not sure how to go about it yet”. > - Jiraiya to Naruto
All of these incidents gave me immense motivation to build Brute Ratel which started as a way to build my programming skills and channel my frustration to code. Over time, you will realize that building a feature is a very small thing as compared to building a full-fledged C2, since building a C2 requires you to have immense knowledge of low-level languages, high-level languages, networking, network programming, integrating different tools and techniques with the payload, making the payload customizable and knowing web pentest as well since you would want to build a secure C2 Server.
And finally, instead of keeping it to myself, I’ve decided to make it commercial. Burte Ratel will receive insanely quick fixes, patches and features since I will be managing the full development myself. Before you ask me, why I am making this commercial, I would like to convey that BRC4’s server is built in GO, whereas the desktop handler is in QT++ and D3.js, Android handler is in Java and Payload is a mixture of C and x64 Assembly. I’ve spent several sleepless hours and days building the C4 Server and adding all past 10 years of InfoSec tricks and techniques for evasion and injection. And I don’t want to do free Red Team giveaways to those same InfoSec Conglomerates :). Maybe in the near future, I will make it Open-Source.
I would also like to highlight that my usual research blogs would continue to be on Dark Vortex. This website will only host contents and posts related to BRC4. I will end my rant here on why I found it necessary to build Brute Ratel. You can find a full list of features in the feature section, and more tutorials for BRC4 are on the way.