Critical Event Monitor

A lot of times during an engagement, your payload connectivity might get dropped and you might never know why that happened. It might either be that your payload was flagged due to some post-exploitation stuff, or maybe the system went to sleep/hibernation or maybe the battery on the laptop was just low and it got shutdown. This was the main reason why crisis_monitor feature was added to Brute Ratel. This feature when enabled, will constantly check for a selected set of events and whenever that event is executed, it will send a notification back to the server. The monitored events are:

  • Power Status Changed
    • AC Power: Connected/Disconnected
    • Power status dropped below 33%, increase above 70%
  • System Suspended
  • System Resumed
  • Session: Logoff
  • Session:
    • Console Session Connected
    • Console Session Disconnected
    • Remote Terminal Connected
    • Remote Terminal Disconnected
    • User Logon
    • User Logoff
    • User Session Locked
    • User Session Unlock
    • User Session Ended

In any of the above scenarios ranging from power changes to session connection, disconnection or user login, badger will send a notification back to the server that an event has occurred. This can be extremely helpful in scenarios wherein you can get a quick notification when a member of blueteam logs in and you might want to stop your post-exploitation activities at the moment so that you are not busted. Crisis monitor can be enabled or disabled with a single command-line argument start or stop.