Evasion Updates v1.2.3 - Scandinavian Defense

This release is a minor update under v1.2.3 release tag towards the core of the badger along with some bug fixes, UI overhaul and improvements to the QOL of the badger/server and the UI. Most of the previous releases were focused on adding evasions to the badger. However, one of the important things that was left out was updates to the UI. This update brings in various changes to the UI along with a Material theme. The below images showcase the updates made to the user interface. Along with the UI updates, the user interface now also allows to spawn a standalone instance of the badger’s terminal from the UI detached from the main GUI. A quick summary of the changes can be found in the release notes.

Apart from the UI updates, there was a tool recently released by @thefLink called Hunt-Sleeping-Beacons which detected several sleeping techniques using APC and Thread Pools. As most of you might know that I like to build evasions as and when new detections are introduced, I decided to build one for this and push it for customers. The evasion isn’t hard to build against such detection as the tool hunted specifically for thread pool threads which are not in Queued state and used WrUserRequest as a state of waiting. This means if you use Wait APIs of windows such as WaitForSingleObject(ex) or any other similar APIs, the sleeping thread would be in a state of WrUserRequest instead of the default WrQueue for thread pools. However, once you start reversing ntdll, you will find a few more API calls which can wait without having to call WaitForSingleObject or it’s native counterpart. There were also a few changes made to the core to evade some aspects of Defender ATP’s ETWTI Sensors. Thus, I decided to push this update with a few tweaks to the sleeping techniques to avoid memory scan detections. The below video showcases this evasion against the mentioned tool above.

Apart from these there were two bugs reported by customers as mentioned in the release notes which were heavily tested and have been fixed in the update. Below is a quick overview of stress testing Brute Ratel against 500 simultaneous connections of badgers to simulate a DOS attack.

Since the badger’s core currently evades every EDR, upcoming releases will focus more on providing extensibility towards building your own payloads to be used with the Ratel Server, more OOB external C2 channels and new memory injection techniques. Meanwhile, if any BRc4 customers face detections, we have a highly active Discord channel where such detections can be reported and I will be more than happy to provide mini updates for such detections. Happy Hacking!!!