Badgers

A Badger is Brute Ratel’s payload for remote access. Badgers support egress over HTTP, HTTPS, SMB and TCP. SMB and TCP are peer-to-peer connections for inter-network communications. Badger’s HTTP/HTTPs connections are asynchronous in nature. Badger’s will connect back to the Brute Ratel Server every few seconds/minutes/hours as configured with the sleep and jitter values, fetch tasks queued on the ratel server, run them and return a response as per the sleep cycle. Badgers communicate to each other and to the server over a custom encrypted channel for all HTTP, HTTPS, SMB and TCP badgers. The commands starting with an asterik (*) require administrative privileges.

Process Injections/PPID Spoofing/Arguement Spoofing

v0.1 run Executes a windows process and returns output of the target process. This command can be used alongside set_parent and set_arguement to change the parent process and spoof commandline arguements
v0.1 loadr Loads a reflective DLL into a remote process memory. The target process in which the DLL will be injected can be changed using set_child. The parent process can be spoofed using set_parent
v0.1 set_child Changes the target process which gets injected with DLL or PE when using loadr, psreflect, sharpreflect or other Brute Ratel Arsenal modules
v0.1 set_parent Changes the parent process ID which gets spoofed when using loadr, psreflect, sharpreflect, run or other Brute Ratel Arsenal modules
v0.1 get_child Gets the target process set for reflective DLL injection or C# PE injection
v0.1 get_parent Gets the parent process ID set for reflective DLL injection, C# PE injection or any other process creation
v0.1 clear_child Sets child process to null. Commands dependent on injection will return error
v0.1 clear_parent Sets parent process ID to 0. Commands dependent on injection and process creation will use badger’s process ID as parent
v0.1 pcinject Injects a new http/tcp/smb payload using an existing payload configuration to a given process id
v0.2 shinject Load position independent shellcode into a remote process
v0.1 psreflect Injects a powershell reflective DLL loader to a remote process to run powershell commands without running powershell.exe process using the Unmanaged PowerShell technique. The powershell loader patches AMSI to evade basic signatures
v0.1 psclean Clears any powershell script loaded to memory for powershell reflection
v0.1 psimport Loads a powershell script to memory which can be Invoked using psreflect
v0.1 sharpreflect Injects a C# reflective DLL loader to a remote process to run C# PE in memory
v0.1 camouflage Injects a reflective PE to a remote process which requests user credentials with a windows-security-styled pop-up and returns captured user credentials
v0.1 set_arguement Sets spoofed commandline argument for run command by modifying the PEB. Every process created will use this as spoofed argument until clear_arguement is used. Using this without understanding the limitations of command-line arguement spoofing might stop processes from executing when using the run command
v0.1 clear_arguement Clears spoofed commandline argument for run command
v0.1 get_arguement Gets spoofed commandline argument set for run command
v0.1 cryptvortex Encrypts a given directory/file to simulate ransomware features
v0.2 objexec Loads a relocatable object file in memory and executes them in the memory of the badger
v0.2 set_objectpipe Sets the name of the namedpipe to fetch output from objexec
v0.2 get_objectpipe Gets the name of the namedpipe used to fetch output from objexec
v0.4.1 set_malloc Sets the memory allocation and writing technique for process injection
v0.4.1 get_malloc Gets the memory allocation and writing technique for process injection
v0.4.1 set_threadex Sets the thread execution technique for process injection
v0.4.1 get_threadex Gets the thread execution technique for process injection
v0.4.2 dll_block Enables process mitigation policy to block non-microsoft signed dlls from loading into remotely created process
v0.4.2 dll_unblock Disables process mitigation policy to block non-microsoft signed dlls from loading into remotely created process

Domain Enumeration

v0.1 dcenum Enumerates basic domain information
v0.1 ldapsentinel (Accessible via GUI) Provides a GUI interface to query domain objects and has a predefined set of ldap queries

Lateral Movement/Remote Host Enumeration

v0.1 cd Changes directory and supports SMB navigation
v0.1 ls Lists directory contents and supports SMB navigation
v0.1 lsdr Lists drives in the current system
v0.1 socksbridge (Accessible via GUI) Connects to Boomerang’s socks server
v0.1 pivot_smb Connects to SMB badger over named pipe and uses custom encryption of Brute Ratel for communication
v0.1 pivot_tcp Starts TCP listener on the badger and uses custom encryption of Brute Ratel for communication
v0.1 stop_tcp Stops a TCP listener on the badger
v0.1 list_pivot Lists pivot badgers for current badger
v0.3 *psexec Execute a payload configuration on remote host by creating a remote badger service using RPC
v0.3 *sccreate Creates a service on local or remote host using RPC
v0.3 *scdelete Deletes a service on local or remote host using RPC
v0.4.1 *scdivert Changes the service binary path for an existing service over local or remote host using RPC
v0.5 *pivot_winrm In-memory implementation of WinRM to run WMI queries
v0.5 *get_wmiconfig Return configured WMI namespace and user credentials for ‘wmispawn’ command
v0.5 *set_wmiconfig Configures WMI namespace, domain username and password for ‘wmispawn’ command
v0.5 *reset_wmiconfig Resets configured WMI namespace and user credentials for ‘wmispawn’ command
v0.5 *wmispawn Runs a wmi query while using the wminamespace, username and password configured from ‘set_wmiconfig’ command. Default configuration is ‘ROOT\CIMV2’

Privilege Escalation/Enumeration

v0.1 id Gets current user name
v0.1 dumpclip Gets current user’s clipboard data
v0.1 get_privs Gets full user privileges
v0.1 *get_system Attempts to escalate privilege from Admin to SYSTEM/NT AUTHORITY
v0.1 *system_exec Attempts to execute a process with SYSTEM privileges if the current user is in high integrity level
v0.1 *set_debug Sets debug privileges required for querying several WinAPIs
v0.1 net Supports running predefined net-based user/group enumeration without using running net.exe
v0.1 *samdump Dumps NTLM hashes from SAM for all users in the local system
v0.1 *shadowclone Dumps Lsass.exe memory using stealth techniques
v0.1 make_token Creates a user token using domain name, username and password
v0.1 revtoken Reverts a user token to self
v0.5 *mimikatz Reflection enabled mimikatz by Benjamin Delphy. Can run usual mimikatz commands
v0.5 dcsync Dump password hashes from a domain controller. Optionally takes an argument to dump only a single user’s hash. Can be used with an impersonated token
v0.5 *dcsync_inject Injects dcsync module to a remote process and dumps password hashes from a domain controller. Optionally takes an argument to dump only a single user’s hash. Requires privileged badger

System Enumeration

v0.1 runas Runs a process as another user using domain name, username, password
v0.1 shellspawn Runs a process, opens a file/video/music or other interactions using shell execution technique
v0.1 screenshot Takes screenshot of the target user’s full desktop
v0.3 scquery Queries windows service manager for all services
v0.1 pwd Lists current directory
v0.1 reg Runs registry queries without running reg.exe
v0.1 mkdir Creates a directory
v0.1 rm Deletes a file
v0.1 rmdir Deletes a directory
v0.1 ps Lists all running processes
v0.1 kill Kills a process with a given process Id
v0.1 cp Copies a file to a new location
v0.1 mv Moves a file to a new location
v0.1 change_wallpaper Changes target host’s active desktop wallpaper
v0.1 download Downloads file from the target host
v0.1 stop_downloads Stops all active downloads
v0.1 upload Uploads a file to the target host
v0.1 drivers Lists the drivers loaded on the system
v0.1 idletime Gets user idletime from the host
v0.1 uptime Gets the host’s uptime
v0.1 lock_input Locks user’s input devices like mouse and keyboard and renders them useless until reboot
v0.1 unlock_input Unlocks user’s input devices
v0.1 lockws Locks user’s workstation
v0.4.1 contact_harvester Extracts contacts from Outlook Address Book
v0.4.1 ipstats Extracts DNS, Ipconfig and information related to network adapters
v0.4.1 psgrep Subset of the ‘ps’ command. Searches for a specific process and returns basic process information
v0.5 portscan Performs a TCP scan on a given host and space seperated port numbers
v0.5 netshares Enumerates shares on local or a remote host. Additionally takes ‘/priv’ as an argument to check for admin privileges on the host

C4 Opsec Configurations

v0.1 sleep This command changes the badger’s communication frequency to the Ratel server over a given jitter and sleep value
v0.1 switch This command switches the badger’s command and control server/listener. The switch command can be highly useful when a badger has been compromised and the Red Team wants to reroute all backup badgers to a new ratel server

Adhoc Commands

v0.1 tasks This command lists all pending tasks in the badger’s queue
v0.1 exit This command kills the current badger and exits gracefully
v0.1 title This command changes the title of the badger’s UI console
v0.1 clrscr/cls This command clears the badger terminal screen