Badgers

A Badger is Brute Ratel’s payload for remote access. Badgers support egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP. SMB and TCP are peer-to-peer connections for inter-network communications. Badgers are asynchronous and multi-threaded in nature. It will connect back to the Brute Ratel Server every few seconds/minutes/hours as configured with the sleep and jitter values, fetch tasks queued on the ratel server, run them and return a response as per the sleep cycle. Badgers communicate to each other and to the server over a custom encrypted channel for all types of badgers i.e. DOH, HTTP, HTTPS, SMB and TCP. The commands starting with an asterisk (*) require administrative privileges or a privileged token.

The help command of badger provides a detailed output of the required and optional command-line arguments. It also provides information on configurable commands.

In the above example, the screenshot shows the following options:

  • Description: The description of the command
  • Supported Commands: The supported commands show if the current command can be configured by some other command.
  • Affected Commands: The affected commands show which other commands will be affected when you configure the current command
  • Artifact: It shows whether the Artifact uses process creation, Windows API or just raw C code
  • Main Argument: The main arguments required for the command to run
  • Optional Argument: The optional arguments that can be provided to the command
  • Minimum Argument Required: Shows the minimum number of arguments required for the command to run (the count includes the main argument)

All commands can be stopped at any minute using the ‘stop_task’ command. The below table provides an up-to-date list of all commands available in the badger till the latest release.

v0.1 help Prints this help message
v0.1 clrscr/cls This command clears the badger terminal screen
v0.1 title This command changes the title of the badger’s UI console
v0.1 get_parent Prints the configured parent process Id spoofing the parent process
v0.1 set_parent Configures a parent process Id for spoofing. The PID mush be a valid/existing parent process
v0.1 clear_parent Clears PID configured for spoofing parent process
v0.1 get_child Prints the child process path configured for fork and run commands
v0.1 set_child Set child process path for fork and run
v0.1 clear_child Clears the configured child process used for injection during fork and run
v0.1 get_argument Prints spoofed command-line argument configured for run, suspended_run and fork and run commands
v0.1 set_argument Configures spoofed command-line argument for the ‘run’ command. Every newly created process will use this as spoofed argument. Note that the actual argument size should be less then the spoofed argument
v0.1 clear_argument Clears spoofed command-line argument for run, suspended_run and fork and run commands. Length of Spoofed command-line argument should be greater than or equal to the legitimate argument
v0.1 tasks Prints active asynchronous commands on the badger
v0.1 psimport Loads a powershell script to memory which can be Invoked using psreflect
v0.1 psreflect Loads powershell commands reflectively in a target process and returns the output by capturing the stdout
v0.1 psclean Removes powershell module from badger’s memory which was loaded using ‘psimport’ command
v0.1 lock_input Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock
v0.1 unlock_input Unlocks keyboard and mouse hardware input which was locked using the ‘lock_input’ command
v0.1 pwd Prints current working directory
v0.1 lockws Locks user’s workstation
v0.1 lsdr Prints locally mounted drives
v0.1 uptime Prints the host uptime
v0.1 idletime Prints the user idletime
v0.1 make_token Creates an impersonated token from a given domain/host, username and password
v0.1 revtoken Reverts any impersonated token created using ‘make_token’ or ‘impersonate’ commands
v0.1 dumpclip Dumps user clipboard
v0.1 drivers Prints loaded drivers
v0.1 *set_debug Enables debug privilege for the user. (Requires admin rights)
v0.1 dcenum Enumerates basic domain information
v0.1 sleep Configures callback interval for your badger with a sleep time and jitter percentage and hides the RX region during sleep
v0.1 cd Changes directory and supports SMB navigation
v0.1 cp Copies a file from a source path to a destination path
v0.1 mv Moves a file from a source path to a destination path
v0.1 rm Deletes a file on the badger’s host
v0.1 mkdir Creates a directory on the badger’s host
v0.1 rmdir Deletes a directory on the badger’s host
v0.1 ls Prints files and folders from current directory, a given directory path or a target share path
v0.1 ps Prints running processes with pid, ppid, user and full process path
v0.1 net Supports running predefined net-based user/group enumeration without using running net.exe
v0.1 reg Runs a registry query (without reg.exe)
v0.1 runas Runs a process as another user with a given domain/host, username and password
v0.1 run Runs a process and prints the output to terminal by capturing the stdout
v0.1 kill Kills a process with a given PID
v0.1 shellspawn Runs a file/folder with Shell attributes using the ShellExecute method on windows
v0.1 *get_system Elevates user privileges to SYSTEM (Requires admin rights). If you are a domain user, this will make you lose domain user rights since SYSTEM is a local user
v0.1 *system_exec Execute a file with SYSTEM privileges (Requires admin rights). If you are a domain user, this will make you lose domain user rights since SYSTEM is a local user
v0.1 upload Uploads a local file on the operator’s host to the badger host. To upload a file to a target path, navigate to that directory using ‘cd’ and use the ‘upload’ command
v0.1 download Downloads a file with a given path. Optionally takes an additional argument which can specify the number of bytes to send in every request
v0.1 screenshot Takes a screenshot of current desktop and stores it on the server
v0.1 loadr Loads a reflective DLL into a target process
v0.1 *shadowclone Dumps LSASS to C:\Windows\Memory.DMP using the PssCaptureSnapshot technique
v0.1 *samdump Dumps NTLM hashes from SAM for all users in the local system
v0.1 sharpreflect Loads a C# executable within a position independent code in a target process and returns the output by capturing the stdout
v0.1 pivot_smb Connects to SMB badger over named pipe and uses custom encryption of Brute Ratel for communication
v0.1 pivot_tcp Starts a tcp listener on the badger. Listener name should be a single word and cannot contain spaces
v0.1 stop_tcp Stops a TCP listener on the badger
v0.1 list_tcppivot Prints all active TCP pivot listeners on the badger started using ‘pivot_tcp’ command
v0.3 scquery Prints services on current host or a target host. Optionally takes a service name to query on a target host
v0.3 *sccreate Creates a service on local or remote host using RPC
v0.3 *scdelete Deletes a service on local or remote host using RPC
v0.3 *psexec Executes a payload configuration as a shellcode on target host using psexec technique. Takes a third optional argument as a target process to inject the shellcode into on the target host
v0.4.1 get_malloc Prints the fork and run’s memory allocation technique for badger
v0.4.1 set_malloc Changes fork and run’s memory allocation technique of badger
v0.4.1 get_threadex Prints the fork and run’s thread execution technique for badger
v0.4.1 set_threadex Changes fork and run’s thread execution technique of badger
v0.4.1 ipstats Extracts network adapter information including virtual VPN adapter information
v0.4.1 contact_harvester Extracts the contacts from Outlook’s Global Address List
v0.4.1 *scdivert Changes the service binary path for an existing service over local or remote host using RPC
v0.4.1 psgrep Subset of the ‘ps’ command. Searches for a specific process and prints a specific process information
v0.4.2 dll_block Enables process mitigation policy to block non-microsoft signed dlls from loading into newly created process during run, suspended_run and fork and run commands
v0.4.2 dll_unblock Disables process mitigation policy to block non-microsoft signed dlls from loading into remotely created process
v0.5 *mimikatz Reflection enabled mimikatz by Benjamin Delphy. Uses usual mimikatz commands. Inline command arguments must be quoted
v0.5 *pivot_winrm Executes a payload config on target host using winrm using Invoke-Command over powershell reflection (psreflect)
v0.5 portscan Performs a Full connect TCP port scan on a given host and space separated port numbers or a port range. Scan will be conducted in the order they are provided in the arguments
v0.5 dcsync Dump password hashes from a domain controller. Optionally takes an argument to dump only a single user’s hash. Can be used with an impersonated token
v0.5 netshares Displays shares on current or a target host. Additionally takes ‘privs’ as an argument to check for admin privs on the host
v0.5 set_wmiconfig Configures WMI namespace, domain username and password for ‘wmiquery’ command
v0.5 get_wmiconfig Return configured WMI namespace and user credentials for ‘wmiquery’ command
v0.5 reset_wmiconfig Resets configured WMI namespace and user credentials for ‘wmiquery’ command
v0.6 exit_process This command kills the current badger process and exits gracefully
v0.6 exit_thread This command kills the current badger thread and exits gracefully
v0.6 crisis_monitor Starts a routine to check for critical events: User session change, Power Status, Shutdown/logoff events
v0.6 grab_token Generates a duplicate token from the primary token of a process and stores it in Token Vault. Use ‘token_vault’ to view all the stored tokens in the vault
v0.6 token_vault Displays harvested tokens stored in the vault
v0.6 impersonate Impersonate an existing token from token vault. Use ‘grab_token’ to extract and save a token to the vault
v0.6 vault_remove Removes a token from Token Vault
v0.6 vault_clear Removes all tokens stored in Token Vault
v0.6 coffexec Runs COFF files in memory and provides compatibility for execution of BOF written for CobaltStrike
v0.6 list_modules Lists DLLs loaded in current or a target process. To find target process modules, supply a pid
v0.6 list_exports Lists exports from a DLL which is already loaded in the current process
v0.6 memhunt Lists memory page section permissions from current or a target process. To find target process memory page sections, supply a pid
v0.6 suspended_run Create a process in suspended mode. Useful when you want to inject custom shellcode/dll into a process which exits instantly on creation
v0.6 set_killdate Configures the badger to auto-exit on a given date. Date format should be in RFC822, eg. 18 Sep 21 12:45 IST
v0.6 get_killdate Prints the configured killdate date for badger
v0.6 sharpinline Runs a C# executable within the badger’s process and returns the output
v0.7 *shadowcloak (only x64) Extracts the memory of lsass.exe without calling MiniDumpWriteDump and downloads it to the Ratel server without touching disk
v0.7 *scstart Starts a service on local or target host using RPC
v0.7 netstat Displays all TCP/UDP connections and listening ports
v0.7 routes Displays all IPv4 routes for the current host
v0.7 local_sessions Displays connected and disconnected console/RDP sessions on the current host
v0.7 query_session Displays connected and disconnected console/RDP sessions on a target host. Requires admin privilege or token
v0.7 sentinel Runs raw and pre-created ldap queries towards the domain controller or the forest
v0.7 passpol Displays the password policy for current or target host
v0.7 dnscache Displays the DNS cache of current host
v0.7 getenv Displays all the environmental variables set for the current process
v0.7 sysinfo Displays basic system and hardware information
v0.7 windowlist Displays all hidden and visible windows
v0.7 schtquery Shows scheduled tasks on the current or a target host along with the XML data of the scheduled task
v0.7 sharescan Enumerates shares by reading a local file containing hostname separated by newline
v0.7 shinject_ex Loads a position independent shellcode into an existing process
v0.7 patchetw Patches ETW for the current process irrespective of psreflect or the sharpreflect/sharpinline command
v0.7 ps_ex Prints running processes with pid, user and process of a remote system
v0.7 arp Displays current ARP entries for all the network interfaces
v0.7 userinfo Prints current username, SID, privileges and groups
v0.8 timeloop Runs a badger command every (x) seconds for (x) number of times
v0.9 memdump (only x64 support) Extracts the memory of a process from the PID without calling MiniDumpWriteDump and downloads it to the Ratel server without touching disk (Shadowcloak style)
v0.9 addpriv Enable any required privilege as per microsoft documentation at https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
v0.9 applist Displays a list of applications installed on the host
v0.9 fileinfo Displays basic file information such as size, creation time, last access time, and last write time
v0.9 preview Reads the first 8192 bytes of a file
v0.9 lookup Performs a network lookup of a given domain/hostname
v1.0 detect_hooks Detects all userland hooks from EDRs and Antivirus in from kernel32, kernelbase and ntdll.dll
v1.0 kerberoast Kerberoasts a given SPN and returns a service ticket in hex format. Ticket can be converted to Hashcat format using the ‘krb5decoder’ tool from the Brute Ratel package
v1.0 icmp_ping Sends an ICMP request to check the alive status of the host
v1.0 wmiquery Runs a wmi query while using the WMI namespace, username and password configured from ‘set_wmiconfig’ command. Default configuration is ‘ROOT\CIMV2’
v1.0 wmiexec Creates a new process on local or remote host using WMI with the namespace, username and password configured from ‘set_wmiconfig’ command. This command does not return any output
v1.0 phish_creds Runs a credential capturing pop-up (social engineering) using C# reflection
v1.1 start_address Changes the start address of the badger to hide badger’s entrypoint in memory
v1.1 threads Lists thread information of a process from its PID or enumerates all processes
v1.1 phantom_thread Executes a shellcode/reflective DLL into an existing ‘alertable thread’ using rop gadgets
v1.1 stop_task Stops a running badger task
v1.1 obfsleep Configures default sleeping obfuscation technique. 0 = APC, 1 = Pooling-0, 2 = Pooling-1
v1.1 socks_profile_start Starts a reverse socks client within the badger. Also opens a port for proxy client
v1.1 socks_start Stops the socks proxy on the badger
v1.1 socks_stop Configures a different profile for socks proxy
v1.1 socks_profile Starts a socks client on the badger to connect back to the provided profile. Does not start local socks server. Remote socks server should be manually started
v1.1 memhook Adds a user defined hook using assembly opcodes on a given memory address
v1.1 keylogger Logs keystrokes of the target user
v1.1 list_downloads List all active downloads
v1.2 set_coffargs Configure upto 10 file based COFF Arguments for your ‘coffexec’ object files
v1.2 clear_coffargs Erases the COFF args for the ‘coffexec’ command
v1.2 scstop Stops a service on local or target host using RPC
v1.3 rportfwd Bind a port on badger’s host and forward it to a port on the ratel server (reverse port forwarding)
v1.3 dns_interval Changes DNS checkin interval frequency for every request. This is seperate from sleep and jitter as DNS sends multiple requests to send a single set of command output