This is a minor update to Brute Ratel C4 v0.4.1 (Chaos Theory) which was released a few days back. This update brings a minor feature release and a few UI bug fixes on Commander. The next major release will be focusing on Credential Harvesting. So, I decided to add the process mitigation policy feature as a minor update along with some bug fixes before I move to the next major release.
This update added the infamous process mitigation policy feature to the badger. Microsoft provides a Windows API SetProcessMitigationPolicy to strengthen the process memory by blocking all DLLs which are not signed by Microsoft. A lot of EDRs load their own DLLs into all newly created processes to monitor the memory, injections and thread executions of the process. However, this windows API does not allow making changes to a remote process. So, by making smaller changes to the PEB structure of a remote process, we can set this mitigation policy and disallow them from loading non-microsoft DLLs.
You can use the
dll_block command to block any third party DLLs from loading into the remote process.
Once this command is enabled, every new process that you create, be it for reflective injections, or normal processes; both will have their mitigation policies enabled. If you want to disable this command, use the
Apart from the large updates, there were several other minor changes made to the UI of the Commander. You can find the detailed information in the release notes here. You can update your Brute Ratel package using your activation key and by using the
-update argument in the ratel console.