Release v1.8 - Mirage - Evading Every EDR On The Planet Part 2

Brute Ratel v1.8 [codename Mirage] is now available for download. This release provides a heavy update towards evasion and other feature requests by the community. Customers using v1.7 release should note that the Badgers of v1.7 will not support v1.8. Do not upgrade to this release if you are in an active engagement. Release notes have been disabled from here on out as we’ve noticed that it helps various security solutions to build detection capabilities on them. All blog updates/documentation will only contain minimalistic information on the internals starting from this release. Customers wanting further information can reach out to us on the dedicated email or discord support channel.

Feature Additions

This release contains major rewrites to various sections within the badger and server to optimize the code and make it more modular for OpSec. Some of the core parts that were updated were the unhooking mechanisms, shellcode unwrapper, data packing mechanism, comms and a few more. Apart from the heavy internal changes, there are three major striking features for this release:

• Full stack frame spoofing on sleep zero
• Exception handler unhooking
• Raw DNS Badger

Stack Frame Spoofing On Sleep Zero

The previous releases of Brute Ratel included stack frame spoofing, but only while the badger was sleeping. However, whenever an operator executes a command, the command was executed from the original stack frame. This meant security solutions could trace the stack via Vectored Exception Handling or via Kernel ETW and find the originating address of the shellcode. Once this is found, yara scans and pattern detection is executed on this memory region to hunt for known signatures. This could be avoided however with the help of module stomping which made the stack look clean, since stomped modules originate from disk unlike shellcodes which originate from memory region. With this release, irrespective of sleep zero, or socks proxy execution/remote port forwarding or any other command that an operator executes, the stack will be 100% legitimate. The traces wont return to the shellcode region. Previously, when you create a process and wait for its output, the stack could be easily seen as originating from memory, however thats no longer the case. All process output capture and every thread created by the badger uses a dynamically generated stack frame which is different and random everytime. This makes the indirect syscalls pretty much useless, as indirect syscalls only spoofed the return address.

Exception Handling Unhooking

It was also observed that some EDRs used vectored as well as hardware breakpoint exceptions (SINGLE_STEP Exception) to capture several telemetry from a process. Although VEH unhooking was added way back when we reversed the Sentinel One EDR, we added the hardware breakpoint exception handling unhooking in this v1.8 release. More information on this was also posted on the twitter channel few days back:

Got a question from a BruteRatel operator in the BRC4 discord channel as to what the newly implemented csxumd64_xxxxx.dll module in Crowdstrike does. So, heres my little explanation post reversing it.

Crowdstrike implants 3 DLLs in their latest version - umppcxxxxx.dll,… pic.twitter.com/K7ZA2NeQMo

— Chetan Nayak (Brute Ratel C4 Author) (@NinjaParanoid) December 15, 2023

Raw DNS Badger

This release extends the DNS over HTTPS functionality to use raw DNS badgers directly with the Brute Ratel server. This can be generated by right clicking the DOH/DNS listener and a selection dialog will pop-up to select the type of badger required. A single listener (DOH/DNS) provides both these functionality.

Other Feature Improvements

1. Custom service executables can be added via ‘register_psexec’ profile. This can be enabled by adding the below json to the profile, or by uploading it to the Ratel server via Commander. Make note that the path should be reachable on the server. Commander does not upload the files. They should be present on the server side before this profile is uploaded. Both x86 and x64 service executables should be valid. This command does not support generic executables. Only service executables with ‘Service Main’ entrypoint are supported.

"register_psexec": {
    "x64": "/home/paranoidninja/Documents/BadgerSvc64.exe",
    "x86": "/home/paranoidninja/Documents/BadgerSvc86.exe"
}

1. Added ‘net_use add’ and ‘net_use del’ commands for mounting remote shares. This command also support harvested credentials.

2. Until the previous release, Payload Profiler only supported stageless badgers. This release extends x64 and x86 Stages that can be created for alternate C2 servers from Payload Profilers.
3. Ldap sentinel is now updated to return user security descriptors in base64 encoded format. This, when combined with BOFHound from fortalice, provides proper support for Bloodhound queries.
4. Listener window reloads if there is an error in starting the listener, instead of simply returning an error like before. This helps to avoid re-adding listener information on the Commander.
5. Removed MAX_PATH limitation from ‘ls’ command.
6. Download command supports files larger than 4GB.
7. Some operators had an issue where the badger does not authenticate on expired SSL certificates. Added ssl certificate expiry checker when the ratel server starts, to notify the operator about the SSL certificate expiry date.
8. Added API script ‘badgerRemove.py’ to use API to remove multiple badgers from the server programmatically

Apart from these, we know that there were 2-3 more features that were requested on the discord channel which a lot of customers were waiting for. Those features will be added in the upcoming minor releases for v1.8. More information on these features are added in the documentation. There are several other backend changes which make this release more special in terms of OpSec. This release will however be the last release for this year. Stay tuned and Happy Hacking :)