A Badger is Brute Ratel’s payload for remote access. Badgers support egress over HTTP, HTTPS, DNS Over HTTPS, SMB and TCP. SMB and TCP are peer-to-peer connections for inter-network communications. Badgers are asynchronous and multi-threaded in nature. It will connect back to the Brute Ratel Server every few seconds/minutes/hours as configured with the sleep and jitter values, fetch tasks queued on the ratel server, run them and return a response as per the sleep cycle. Badgers communicate to each other and to the server over a custom encrypted channel for all types of badgers i.e. DOH, HTTP, HTTPS, SMB and TCP. The commands starting with an asterisk (*) require administrative privileges or a privileged token.
The help command of badger provides a detailed output of the required and optional command-line arguments. It also provides information on configurable commands.
In the above example, the screenshot shows the following options:
All commands can be stopped at any minute using the ‘stop_task’ command. The below table provides an up-to-date list of all commands available in the badger till the latest release.
| v0.1 | help | Prints this help message |
| v0.1 | clrscr/cls | This command clears the badger terminal screen |
| v0.1 | title | This command changes the title of the badger’s UI console |
| v0.1 | get_parent | Prints the configured parent process Id spoofing the parent process |
| v0.1 | set_parent | Configures a parent process Id for spoofing. The PID mush be a valid/existing parent process |
| v0.1 | clear_parent | Clears PID configured for spoofing parent process |
| v0.1 | get_child | Prints the child process path configured for fork and run commands |
| v0.1 | set_child | Set child process path for fork and run |
| v0.1 | clear_child | Clears the configured child process used for injection during fork and run |
| v0.1 | get_argument | Prints spoofed command-line argument configured for run, suspended_run and fork and run commands |
| v0.1 | set_argument | Configures spoofed command-line argument for the ‘run’ command. Every newly created process will use this as spoofed argument. Note that the actual argument size should be less then the spoofed argument |
| v0.1 | clear_argument | Clears spoofed command-line argument for run, suspended_run and fork and run commands. Length of Spoofed command-line argument should be greater than or equal to the legitimate argument |
| v0.1 | tasks | Prints active asynchronous commands on the badger |
| v0.1 | psimport | Loads a powershell script to memory which can be Invoked using psreflect |
| v0.1 | psreflect | Loads powershell commands reflectively in a target process and returns the output by capturing the stdout |
| v0.1 | psclean | Removes powershell module from badger’s memory which was loaded using ‘psimport’ command |
| v0.1 | lock_input | Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock |
| v0.1 | unlock_input | Unlocks keyboard and mouse hardware input which was locked using the ‘lock_input’ command |
| v0.1 | pwd | Prints current working directory |
| v0.1 | lockws | Locks user’s workstation |
| v0.1 | lsdr | Prints locally mounted drives |
| v0.1 | uptime | Prints the host uptime |
| v0.1 | idletime | Prints the user idletime |
| v0.1 | make_token | Creates an impersonated token from a given domain/host, username and password |
| v0.1 | revtoken | Reverts any impersonated token created using ‘make_token’ or ‘impersonate’ commands |
| v0.1 | dumpclip | Dumps user clipboard |
| v0.1 | drivers | Prints loaded drivers |
| v0.1 | *set_debug | Enables debug privilege for the user. (Requires admin rights) |
| v0.1 | dcenum | Enumerates basic domain information |
| v0.1 | sleep | Configures callback interval for your badger with a sleep time and jitter percentage and hides the RX region during sleep |
| v0.1 | cd | Changes directory and supports SMB navigation |
| v0.1 | cp | Copies a file from a source path to a destination path |
| v0.1 | mv | Moves a file from a source path to a destination path |
| v0.1 | rm | Deletes a file on the badger’s host |
| v0.1 | mkdir | Creates a directory on the badger’s host |
| v0.1 | rmdir | Deletes a directory on the badger’s host |
| v0.1 | ls | Prints files and folders from current directory, a given directory path or a target share path |
| v0.1 | ps | Prints running processes with pid, ppid, user and full process path |
| v0.1 | net | Supports running predefined net-based user/group enumeration without using running net.exe |
| v0.1 | reg | Runs a registry query (without reg.exe) |
| v0.1 | runas | Runs a process as another user with a given domain/host, username and password |
| v0.1 | run | Runs a process and prints the output to terminal by capturing the stdout |
| v0.1 | kill | Kills a process with a given PID |
| v0.1 | shellspawn | Runs a file/folder with Shell attributes using the ShellExecute method on windows |
| v0.1 | *get_system | Elevates user privileges to SYSTEM (Requires admin rights). If you are a domain user, this will make you lose domain user rights since SYSTEM is a local user |
| v0.1 | *system_exec | Execute a file with SYSTEM privileges (Requires admin rights). If you are a domain user, this will make you lose domain user rights since SYSTEM is a local user |
| v0.1 | upload | Uploads a local file on the operator’s host to the badger host. To upload a file to a target path, navigate to that directory using ‘cd’ and use the ‘upload’ command |
| v0.1 | download | Downloads a file with a given path. Optionally takes an additional argument which can specify the number of bytes to send in every request |
| v0.1 | screenshot | Takes a screenshot of current desktop and stores it on the server |
| v0.1 | loadr | Loads a reflective DLL into a target process |
| v0.1 | *shadowclone | Dumps LSASS to C:\Windows\Memory.DMP using the PssCaptureSnapshot technique |
| v0.1 | *samdump | Dumps NTLM hashes from SAM for all users in the local system |
| v0.1 | sharpreflect | Loads a C# executable within a position independent code in a target process and returns the output by capturing the stdout |
| v0.1 | pivot_smb | Connects to SMB badger over named pipe and uses custom encryption of Brute Ratel for communication |
| v0.1 | pivot_tcp | Starts a tcp listener on the badger. Listener name should be a single word and cannot contain spaces |
| v0.1 | stop_tcp | Stops a TCP listener on the badger [DEPRECATED] |
| v0.1 | list_tcppivot | Prints all active TCP pivot listeners on the badger started using ‘pivot_tcp’ command |
| v0.3 | scquery | Prints services on current host or a target host. Optionally takes a service name to query on a target host |
| v0.3 | *sccreate | Creates a service on local or remote host using RPC |
| v0.3 | *scdelete | Deletes a service on local or remote host using RPC |
| v0.3 | *psexec | Executes a payload configuration as a shellcode on target host using psexec technique. Takes a third optional argument as a target process to inject the shellcode into on the target host |
| v0.4.1 | get_malloc | Prints the fork and run’s memory allocation technique for badger |
| v0.4.1 | set_malloc | Changes fork and run’s memory allocation technique of badger |
| v0.4.1 | get_threadex | Prints the fork and run’s thread execution technique for badger |
| v0.4.1 | set_threadex | Changes fork and run’s thread execution technique of badger |
| v0.4.1 | ipstats | Extracts network adapter information including virtual VPN adapter information |
| v0.4.1 | contact_harvester | Extracts the contacts from Outlook’s Global Address List |
| v0.4.1 | *scdivert | Changes the service binary path for an existing service over local or remote host using RPC |
| v0.4.1 | psgrep | Subset of the ‘ps’ command. Searches for a specific process and prints a specific process information |
| v0.4.2 | dll_block | Enables process mitigation policy to block non-microsoft signed dlls from loading into newly created process during run, suspended_run and fork and run commands |
| v0.4.2 | dll_unblock | Disables process mitigation policy to block non-microsoft signed dlls from loading into remotely created process |
| v0.5 | *mimikatz | Reflection enabled mimikatz by Benjamin Delphy. Uses usual mimikatz commands. Inline command arguments must be quoted |
| v0.5 | *pivot_winrm | Executes a payload config on target host using winrm using Invoke-Command over powershell reflection (psreflect) [DEPRECATED] |
| v0.5 | portscan | Performs a Full connect TCP port scan on a given host and space separated port numbers or a port range. Scan will be conducted in the order they are provided in the arguments |
| v0.5 | dcsync | Dump password hashes from a domain controller. Optionally takes an argument to dump only a single user’s hash. Can be used with an impersonated token |
| v0.5 | netshares | Displays shares on current or a target host. Additionally takes ‘privs’ as an argument to check for admin privs on the host |
| v0.5 | set_wmiconfig | Configures WMI namespace, domain username and password for ‘wmiquery’ command |
| v0.5 | get_wmiconfig | Return configured WMI namespace and user credentials for ‘wmiquery’ command |
| v0.5 | reset_wmiconfig | Resets configured WMI namespace and user credentials for ‘wmiquery’ command |
| v0.6 | exit_process | This command kills the current badger process and exits gracefully |
| v0.6 | exit_thread | This command kills the current badger thread and exits gracefully |
| v0.6 | crisis_monitor | Starts a routine to check for critical events: User session change, Power Status, Shutdown/logoff events |
| v0.6 | grab_token | Generates a duplicate token from the primary token of a process and stores it in Token Vault. Use ‘token_vault’ to view all the stored tokens in the vault |
| v0.6 | token_vault | Displays harvested tokens stored in the vault |
| v0.6 | impersonate | Impersonate an existing token from token vault. Use ‘grab_token’ to extract and save a token to the vault |
| v0.6 | vault_remove | Removes a token from Token Vault |
| v0.6 | vault_clear | Removes all tokens stored in Token Vault |
| v0.6 | coffexec | Runs COFF files in memory and provides compatibility for execution of BOF written for CobaltStrike |
| v0.6 | list_modules | Lists DLLs loaded in current or a target process. To find target process modules, supply a pid |
| v0.6 | list_exports | Lists exports from a DLL which is already loaded in the current process [DEPRECATED] |
| v0.6 | memhunt | Lists memory page section permissions from current or a target process. To find target process memory page sections, supply a pid [DEPRECATED] |
| v0.6 | suspended_run | Create a process in suspended mode. Useful when you want to inject custom shellcode/dll into a process which exits instantly on creation |
| v0.6 | set_killdate | Configures the badger to auto-exit on a given date. Date format should be in RFC822, eg. 18 Sep 21 12:45 IST |
| v0.6 | get_killdate | Prints the configured killdate date for badger |
| v0.6 | sharpinline | Runs a C# executable within the badger’s process and returns the output |
| v0.7 | *shadowcloak | (only x64) Extracts the memory of lsass.exe without calling MiniDumpWriteDump and downloads it to the Ratel server without touching disk |
| v0.7 | *scstart | Starts a service on local or target host using RPC |
| v0.7 | netstat | Displays all TCP/UDP connections and listening ports |
| v0.7 | routes | Displays all IPv4 routes for the current host |
| v0.7 | local_sessions | Displays connected and disconnected console/RDP sessions on the current host |
| v0.7 | query_session | Displays connected and disconnected console/RDP sessions on a target host. Requires admin privilege or token |
| v0.7 | sentinel | Runs raw and pre-created ldap queries towards the domain controller or the forest |
| v0.7 | passpol | Displays the password policy for current or target host |
| v0.7 | dnscache | Displays the DNS cache of current host |
| v0.7 | getenv | Displays all the environmental variables set for the current process |
| v0.7 | sysinfo | Displays basic system and hardware information |
| v0.7 | windowlist | Displays all hidden and visible windows |
| v0.7 | schtquery | Shows scheduled tasks on the current or a target host along with the XML data of the scheduled task |
| v0.7 | sharescan | Enumerates shares by reading a local file containing hostname separated by newline |
| v0.7 | shinject_ex | Loads a position independent shellcode into an existing process |
| v0.7 | patchetw | Patches ETW for the current process irrespective of psreflect or the sharpreflect/sharpinline command |
| v0.7 | ps_ex | Prints running processes with pid, user and process of a remote system |
| v0.7 | arp | Displays current ARP entries for all the network interfaces |
| v0.7 | userinfo | Prints current username, SID, privileges and groups |
| v0.8 | timeloop | Runs a badger command every (x) seconds for (x) number of times |
| v0.9 | memdump | (only x64 support) Extracts the memory of a process from the PID without calling MiniDumpWriteDump and downloads it to the Ratel server without touching disk (Shadowcloak style) |
| v0.9 | addpriv | Enable any required privilege as per microsoft documentation at https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants |
| v0.9 | applist | Displays a list of applications installed on the host |
| v0.9 | fileinfo | Displays basic file information such as size, creation time, last access time, and last write time |
| v0.9 | preview | Reads the first 8192 bytes of a file |
| v0.9 | lookup | Performs a network lookup of a given domain/hostname |
| v1.0 | detect_hooks | Detects all userland hooks from EDRs and Antivirus in from kernel32, kernelbase and ntdll.dll [DEPRECATED since v1.3] |
| v1.0 | kerberoast | Kerberoasts a given SPN and returns a service ticket in hex format. Ticket can be converted to Hashcat format using the ‘krb5decoder’ tool from the Brute Ratel package |
| v1.0 | icmp_ping | Sends an ICMP request to check the alive status of the host |
| v1.0 | wmiquery | Runs a wmi query while using the WMI namespace, username and password configured from ‘set_wmiconfig’ command. Default configuration is ‘ROOT\CIMV2’ |
| v1.0 | wmiexec | Creates a new process on local or remote host using WMI with the namespace, username and password configured from ‘set_wmiconfig’ command. This command does not return any output |
| v1.0 | phish_creds | Runs a credential capturing pop-up (social engineering) using C# reflection |
| v1.1 | start_address | Changes the start address of the badger to hide badger’s entrypoint in memory |
| v1.1 | threads | Lists thread information of a process from its PID or enumerates all processes |
| v1.1 | phantom_thread | Executes a shellcode/reflective DLL into an existing ‘alertable thread’ using rop gadgets |
| v1.1 | stop_task | Stops a running badger task |
| v1.1 | obfsleep | Configures default sleeping obfuscation technique. 0 = APC, 1 = Pooling-0, 2 = Pooling-1 |
| v1.4 | socks | (earlier ‘socks_start’)Starts a reverse socks client within the badger. Also opens a port for proxy client |
| v1.1 | socks_profile_start | Starts a reverse socks client within the badger. Also opens a port for proxy client [DEPRECATED] |
| v1.1 | socks_stop | Configures a different profile for socks proxy |
| v1.1 | socks_profile | Starts a socks client on the badger to connect back to the provided profile. Does not start local socks server. Remote socks server should be manually started [DEPRECATED] |
| v1.1 | memhook | Adds a user defined hook using assembly opcodes on a given memory address |
| v1.1 | keylogger | Logs keystrokes of the target user |
| v1.1 | list_downloads | List all active downloads |
| v1.2 | set_coffargs | Configure upto 10 file based COFF Arguments for your ‘coffexec’ object files |
| v1.2 | clear_coffargs | Erases the COFF args for the ‘coffexec’ command |
| v1.2 | scstop | Stops a service on local or target host using RPC |
| v1.3 | rportfwd | Bind a port on badger’s host and forward it to a port on the ratel server (reverse port forwarding) |
| v1.3 | dns_interval | Changes DNS checkin interval frequency for every request. This is seperate from sleep and jitter as DNS sends multiple requests to send a single set of command output |
| v1.4 | memexec | Runs a PE in memory of the badger’s process without generating any process creation artefacts. This command only supports MFC and Mingw, and does not support apiset standard libraries |
| v1.4 | note | Adds a note infront of the badger in the badger’s tab |