Brute Ratel v1.6 codename Reboot is now available for download. This release brings in several updates to existing evasion techniques, support for Windows Commander, Hi-DPI scaling and various heavy user experience updates (QOL) requested by the BRc4 community. A quick summary of the changes can be found in the release notes.
This release brings in support for sleep and jitter for LDAP Sentinel with the ‘sentinel_sleep’ command. Using this, operators can provide an interval between every single LDAP request to the Domain Controller. Unlike previous releases, this version of LDAP Sentinel supports SASL authentication with a fallback mechanism to the default kerberos authentication. The SASL authentication consists of encrypted messages inside the LDAP “bind” requests and responses. The “bind” request contains the distinguished name of the directory object that Badger wishes to authenticate as either with an impersonated token or directly. This feature was added to support forced Certificate SASL authentication within some environments. Interestingly, this also provides better evasion against network based IDS which build detections against known LDAP queries from unencrypted data or by tracking multiple LDAP queries originating from one source and then tagging it as an anomaly. Due to the encrypted nature of the SASL authentication, it becomes difficult for various detection systems which do not handle SASL. Apart from these changes, LDAP Sentinel also supports attribute filtering. An operator can now provide multiple attribute filters within LDAP filters to limit search output to requested attributes. The below example shows attribute filters (name, distinguishedName, lastlogon and objectSid) added to the LDAP query to search user objects.
This feature when coupled with BofHound makes it easier to build custom bloodhound compatible json files.
The GetSecurityDescriptorDacl API provides a way to enumerate a Discretionary Access Control List for an object. Brute Ratel uses this API with the newly added ‘acl’ command to enumerate permissions of a file or folder similar to the ‘cacls.exe’ executable.
During a red team engagement, a network service process or an IIS Server process, when exploited, might not have proper environment variables. In one of the previous releases, we introduced the ‘getenv’ command to enumerate the process environment variables. This release extends this functionality to add custom environment variables for the current process using the ‘setenv’ command.
A miniature ‘curl’ functionality was added to this release to perform http/https requests to a given site and url. This command can send a GET request to HTTP/S server on a given port and URI and receive html output in raw format. This can be extremely handy to search and enumerate internal web applications without the need to start Socks proxy every now and then, or to check if your backup C2 channel is reachable from within the organizational environment.
Another anti-forensic feature that was requested by the community was to securely delete the files so that it cannot be extracted by the blue team using EnCase and Autopsy. This is an optional feature added to the ‘rm’ command which accepts the ‘rf’ argument. When this command is executed, the requested file is overwritten with garbage and zeroes out every bit multiple times before deletion. This makes recovery of files extremely difficult. Make note that large files will take more time for secure deletion, as more bytes are written to disk.
An interesting feature observed with an EDR was tracking of DLL loads in userland. Most EDRs monitor DLL loads in the kernel via the PsSetLoadImageNotifyRoutineEx callback. However, for unknown reasons it was observed that some EDRs capture this information in the userland by hooking LoadLibrary events. One theory behind this would be that kernel callbacks provide a limited amount of information such as the IMAGE_INFO structure. Userland Hooking can provide an EDR more leverage to quickly perform remediations without having to use Kernel CPU time. This release of BRc4 disables userland DLL notifications by default.
Another community request was to modify the way SMB payload handled authentication from remote systems. Usually it’s a good idea to allow only authenticated users to connect to the named pipe. However, this isn’t feasible when the SMB shellcode is executed via IIS server exploitation which you do not have tokens or passwords of. Thus, the only way to connect to the named pipe is by changing the DACL of the named pipe. This release disables SMB authentication on the named pipes and allows all users to connect to the Badger’s named pipe.
Various changes were made to the Ratel Server and Badger architecture for evasion, stability and usability. The following list includes a few of the major changes:
One of the most requested features of Commander was support for custom themes. What better way to support this, if not via stylesheets. Operators can now write custom stylesheets and change every aspect of the Commander, adding different fonts, colors and font-size for every widget and dialog box. The default theme is Dark, however ‘light’ and ‘shady’ themed stylesheets are provided in the package. Operators can use them as a reference to write their own stylesheet. The generated stylesheet file can be passed as a command line argument to the shellscript ‘commander-runme.sh’.
Starting from this release, official support is provided for Commander to be run on Windows 10. The package includes the ‘commander-runme.bat’ file which loads up all dependencies and executes the main Commander executable. Make note that Pivot and MITRE graphs are not supported in windows due to some limitations of the chromium library used to render graphs in linux. Entire backend of the Commander was rewritten for a better user experience. Some of the highlights include:
There were various other improvements made to the Ratel Server’s backend, Badger commands and Commander, some of which are listed in the release notes. Various other evasion updates have also been added which are not added to the release notes to keep it away from the hands of defenders. There are a few more post-exploitation feature releases scheduled for the upcoming month, which were supposed to be added in this release (as mentioned in the discord channel), but were not added due to their stability issues. However, they will be pushed as a part of minor release once stable. Users are requested to update to this release as it provides several QOL over the previous release. Stay tuned and Happy Hacking :)