Badgers

A Badger is Brute Ratel’s payload for remote access. Badgers support egress over HTTP, HTTPS, SMB and TCP. SMB and TCP are peer-to-peer connections for inter-network communications. Badger’s are asynchronous and multi-threaded in nature. Badger’s will connect back to the Brute Ratel Server every few seconds/minutes/hours as configured with the sleep and jitter values, fetch tasks queued on the ratel server, run them and return a response as per the sleep cycle. Badgers communicate to each other and to the server over a custom encrypted channel for all HTTP, HTTPS, SMB and TCP badgers. The commands starting with an asterik (*) require administrative privileges.

v0.1 help Prints this help message
v0.1 clrscr/cls This command clears the badger terminal screen
v0.1 title This command changes the title of the badger’s UI console
v0.1 cryptvortex Encrypts a given directory/file to simulate ransomware features
v0.1 ldapsentinel (Accessible via GUI) Provides a GUI interface to query domain objects and has a predefined set of ldap queries
v0.1 socksbridge (Accessible via GUI) Connects to Boomerang’s socks server
v0.6 exit_process This command kills the current badger process and exits gracefully
v0.6 exit_thread This command kills the current badger thread and exits gracefully
v0.1 stop_downloads Stops all active downloads
v0.1 get_parent Prints the configured parent process Id spoofing the parent process
v0.1 tasks Prints active asynchronous commands on the badger
v0.1 get_child Prints the child process path configured for fork and run commands
v0.1 psclean Removes powershell module from badger’s memory which was loaded using ‘psimport’ command
v0.1 list_pivot Prints all active TCP pivot listeners on the badger started using ‘pivot_tcp’ command
v0.1 unlock_input Unlocks keyboard and mouse hardware input which was locked using the ‘lock_input’ command
v0.1 clear_parent Clears PID configured for spoofing parent process
v0.1 clear_child Clears the configured child process used for injection during fork and run
v0.1 get_argument Prints spoofed commandline argument configured for run, suspended_run and fork and run commands
v0.1 clear_argument Clears spoofed commandline argument for run, suspended_run and fork and run commands. Length of Spoofed commandline argument should be greater than or equal to the legitimate argument
v0.4.1 get_malloc Prints the fork and run’s memory allocation technique for badger
v0.4.1 get_threadex Prints the fork and run’s thread execution technique for badger
v0.1 pwd Prints current working directory
v0.7 arp Displays current ARP entries for all the network interfaces
v0.7 userinfo Prints current username, SID, privileges and groups
v0.1 lockws Locks user’s workstation
v0.1 lsdr Prints locally mounted drives
v0.1 uptime Prints the host uptime
v0.1 idletime Prints the user idletime
v0.1 revtoken Reverts any impersonated token created using ‘make_token’ or ‘impersonate’ commands
v0.1 dumpclip Dumps user clipboard
v0.1 drivers Prints loaded drivers
v0.1 *set_debug Enables debug privilege for the user. (Requires admin rights)
v0.1 dcenum Enumerates basic domain information
v0.1 lock_input  
v0.4.1 ipstats Extracts network adapter information including virtual VPN adapter information
v0.4.2 dll_block Enables process mitigation policy to block non-microsoft signed dlls from loading into newly created process during run, suspended_run and fork and run commands
v0.4.2 dll_unblock Disables process mitigation policy to block non-microsoft signed dlls from loading into remotely created process
v0.1 psimport Loads a powershell script to memory which can be Invoked using psreflect
v0.1 change_wallpaper Changes the wallpaper for the users primary desktop
v0.1 stop_tcp Stops a TCP listener on the badger
v0.4.1 set_malloc Changes fork and run’s memory allocation technique of badger
v0.4.1 set_threadex Changes fork and run’s thread execution technique of badger
v0.1 sleep Configures callback interval for your badger with a sleep time and jitter percentage
v0.1 cd Changes directory and supports SMB navigation
v0.1 cp Copies a file from a source path to a destination path
v0.1 mv Moves a file from a source path to a destination path
v0.1 rm Deletes a file on the badger’s host
v0.1 mkdir Creates a directory on the badger’s host
v0.1 rmdir Deletes a directory on the badger’s host
v0.1 ls Prints files and folders from current directory, a given directory path or a target share path
v0.1 net Supports running predefined net-based user/group enumeration without using running net.exe
v0.1 runas Runs a process as another user with a given domain/host, username and password
v0.1 make_token Creates an impersonated token from a given domain/host, username and password
v0.1 run Runs a process and prints the output to terminal by capturing the stdout
v0.1 kill Kills a process with a given PID
v0.1 shellspawn Runs a file/folder with Shell attributes using the ShellExecute method on windows
v0.1 ps Prints running processes with pid, ppid, user and full process path
v0.1 set_parent Configures a parent process Id for spoofing. The PID mush be a valid/existing parent process
v0.1 switch Reroutes the current payload to a new domain and port. Other attributes of the listener must be the same as the current one, else the badger won’t authenticate to the new C2.
v0.1 *get_system Elevates user privileges to SYSTEM (Requires admin rights). If you are a domain user, this will make you lose domain rights since SYSTEM is a local user
v0.1 *system_exec Execute a file with SYSTEM privileges (Requires admin rights). If you are a domain user, this will make you lose domain rights since SYSTEM is a local user
v0.1 loadr Loads a reflective DLL into a target process
v0.1 download Downloads a file with a given path. Optinally takes an additional argument which can specify the number of bytes to send in every request
v0.1 screenshot Takes a screenshot of current desktop and stores it on the server
v0.1 reg Runs a registry query (without reg.exe)
v0.1 set_child Set child process path for fork and run
v0.3 scquery Prints services on current host or a target host. Optionally takes a service name to query on a target host
v0.4.1 contact_harvester Extracts the contacts from Outlook’s Global Address List
v0.1 psreflect Loads powershell commands reflectively in a target process and returns the output by capturing the stdout
v0.5 *mimikatz Reflection enabled mimikatz by Benjamin Delphy. Uses usual mimikatz commands. Inline command arguments must be quoted
v0.1 *samdump Dumps NTLM hashes from SAM for all users in the local system
v0.1 *shadowclone Dumps LSASS to C:\Windows\Memory.DMP using the PssCaptureSnapshot technique
v0.1 sharpreflect Loads a C# exectable reflectively in a target process and returns the output by capturing the stdout
v0.1 upload Uploads a local file on the warmonger’s host to the badger host. To upload a file to a target path, navigate to that directory using ‘cd’ and use the ‘upload’ command
v0.1 pcinject Injects a new http/tcp/smb payload using existing payload config to a given process Id
v0.1 pivot_tcp Starts a tcp listener on the badger. Listener name should be a single word and cannot contain spaces
v0.1 set_argument Configures spoofed command-line argument for the ‘run’ command. Every newly created process will use this as spoofed argument. Note that the actual argument size should be less then the spoofed argument
v0.1 pivot_smb Connects to SMB badger over named pipe and uses custom encryption of Brute Ratel for communication
v0.1 camouflage Runs a credential capturing pop-up (social engineering) using C# reflection
v0.2 shinject Loads a position independent shellcode into a target process
v0.3 *psexec Executes a payload configuration as a shellcode on target host using psexec technique. Takes a third optional argument as a target process to inject the shellcode into on the target host
v0.3 *sccreate Creates a service on local or remote host using RPC
v0.3 *scdelete Deletes a service on local or remote host using RPC
v0.4.1 *scdivert Changes the service binary path for an existing service over local or remote host using RPC
v0.4.1 psgrep Subset of the ‘ps’ command. Searches for a specific process and prints a specific process information
v0.5 *pivot_winrm Executes a payload config on target host using winrm using Invoke-Command over powershell reflection (psreflect)
v0.5 portscan Performs a Full connect TCP port scan on a given host and space seperated port numbers or a portrange. Scan will be conducted in the order they are provided in the arguments
v0.5 dcsync Dump password hashes from a domain controller. Optionally takes an argument to dump only a single user’s hash. Can be used with an impersonated token
v0.5 netshares Displays shares on current or a target host. Additionally takes ‘privs’ as an argument to check for admin privs on the host
v0.5 set_wmiconfig Configures WMI namespace, domain username and password for ‘wmispawn’ command
v0.5 get_wmiconfig Return configured WMI namespace and user credentials for ‘wmispawn’ command
v0.5 reset_wmiconfig Resets configured WMI namespace and user credentials for ‘wmispawn’ command
v0.5 wmispawn Runs a wmi query while using the wminamespace, username and password configured from ‘set_wmiconfig’ command. Default configuration is ‘ROOT\CIMV2’
v0.6 crisis_monitor Starts or stops a routine to check for critical events: User session change, Power Status, Shutdown/logoff events
v0.6 grab_token Generates a duplicate token from the primary token of a process and stores it in Token Vault. Use ‘token_vault’ to view all the stored tokens in the vault
v0.6 token_vault Displays harvested tokens stored in the vault
v0.6 impersonate Impersonate an existing token from token vault. Use ‘grab_token’ to extract and save a token to the vault
v0.6 vault_remove Removes a token from Token Vault
v0.6 vault_clear Removes all tokens stored in Token Vault
v0.6 coffexec Runs COFF files in memory and provies compatibility for execution of BOF written for CobaltStrike
v0.6 list_modules Lists DLLs loaded in current or a target process. To find target process modules, supply a pid
v0.6 list_exports Lists exports from a DLL which is already loaded in the current process
v0.6 memhunt Lists memory page section permissions from current or a target process. To find target process memory page sections, supply a pid
v0.6 suspended_run Create a process in suspended mode. Useful when you want to inject custom shellcode/dll into a process which exits instantly on creation
v0.6 set_killdate Configures the badger to autoexit on a given date. Date format should be in RFC822, eg. 18 Sep 21 12:45 IST
v0.6 get_killdate Prints the configured killdate date for badger
v0.6 sharpinline Runs a C# exectable within the badger’s process and returns the output
v0.7 *shadowcloak (only x64 support) Extracts the memory of lsass.exe without calling MiniDumpWriteDump and downloads it to the Ratel server without touching disk
v0.7 *scstart Starts a service on local or target host using RPC
v0.7 netstat Displays all TCP/UDP connections and listening ports
v0.7 routes Displays all IPv4 routes for the current host
v0.7 local_sessions Displays connected and disconnected console/RDP sessions on the current host
v0.7 query_session Displays connected and disconnected console/RDP sessions on a target host. Requires admin privilege or token
v0.7 sentinel Runs raw and pre-created ldap queries towards the domain controller or the forest
v0.7 passpol Displays the password policy for current or target host
v0.7 dnscache Displays the DNS cache of current host
v0.7 getenv Displays all the environmental variables set for the current process
v0.7 sysinfo Displays basic system and hardware information
v0.7 windowlist Displays all hidden and visible windows
v0.7 schtquery Shows scheduled tasks on the current or a target host along with the XML data of the scheduled task
v0.7 sharescan Enumerates shares by reading a local file containing hostnames seperated by newline
v0.7 keylogger Logs keystrokes of the target user. Use ‘kill’ command to kill the process injected keylogger and get the logged output
v0.7 shinject_ex Loads a position independent shellcode into an existing process
v0.7 patchetw Patches ETW for the current process irrespective of psreflect or the sharpreflect/sharpinline command
v0.7 ps_ex Prints running processes with pid, user and process of a remote system