Timeloop

The timeloop command can run a Badger’s command for an x number of times, every y number of seconds on the host. For example, let’s say a jump server was compromised and high integrity privileges were gained, but there is no user logged in on the host. Now the shadowcloak command can be used to dump credentials, but it’s useless unless a user logs in and caches their password. So, in this case you can run the timeloop command to extract the memory every x number of times with a given interval. The timeloop command accepts three or more arguments. The first argument is the number of times you want to run the command, the second argument is the interval under which you want to run the command and the third argument is the actual command to run which can have its own set of arguments. The below command executes the C-sharp tool InternalMonologue within the Badger’s process 6 times with an interval of 10 seconds between every execution.

The timeloop command can be run during high sleep intervals because it does not need to connect to the server to run the command. You can assign a timeloop command to the Badger, let it checkin and then put the badger to sleep for a long time. While the Badger is sleeping, it will run the timeloop command as per the interval and counter provided. It will cache the output to memory without connecting to the server, and then sleep in an encrypted Read-Write region in memory. Once it checks in, post your sleep interval, the whole output will be returned back to the server. The timeloop command supports almost all commands of Brute Ratel.