Server (Reporting)

The Server menu in Commander provides access to the various reporting capabilities of Brute Ratel. All sorts of logs such as badger output, server logs, downloads, MITRE mapping and other artefact can be accessed via this context menu.

Add/Save Credentials

You can import harvested credentials to the Credentials manager either using profiles or by selecting Server->Add Credentials. Once added, these credentials can be found in the Creds tab on the dashboard which can be used to create Windows access tokens for lateral movement.

You can add a credential manually or import multiple credentials by selecting ‘Import CSV’ button. The CSV format is provided in the BRc4 package in the server_confs directory.

All credentials imported can be exported using the Save Credentials option in the Server context menu.

Download Manager

All downloaded files can be viewed or downloaded by selecting ‘Server->View Downloads’. This will list all downloads as a list. Download and view options are available in the right click context menu. Jpeg, png, bmp and text files can be viewed directly, however the rest of the files need to be downloaded from the server.

The text file can be viewed in Scratchpad whereas screenshots load up inside Brute Ratel’s Image Viewer.

Log Viewer

Server logs can be viewed by selecting ‘Server->View Logs’. This will list all the logs on the server including badger log/command and output history. Logs are rotational and are stored under their respective dates. Badger’s log is stored in a separate directory under the current date as the folder name and the each of the badger log is listed under b-0.log, b-1.log and so on.

De-authenticated badger logs and the web logs are stored in a separate file in the same directory as that of the badger.

These files can be viewed or downloaded by right clicking and selecting view/download. Scratchpad provides a functionality to search the logs for specific strings. You can type the string to search for in the ‘Search free text here’ field and hit enter to search in ascending order. The buttons next to the search box can help to navigate the search, up and down in Scratchpad.

Debug DNS Over HTTPS

The debug DOH logs help provide a bit more verbosity to the DOH logging functionality. Due to the way DNS is built, The RFC only allows sending up-to 64 bytes per subdomain per request. This means if the badger needs to send back a large response, it will send it in multiple chunks. Badger sends all output in encrypted format, which means unless the whole response is received from the badger, the server cannot decrypt it, and if it cannot decrypt it, it means it cannot identify which badger is sending the response. This means until the full response is received, the server cannot decrypt the data and Commander won’t show whether the badger checkin-in even if it is continuously sending in chunks of response. However, in order to tackle this, the ratel server comes pre-built with a debug log functionality. This is by-default disabled unless the operator enables it from Server->Enable/Disable DOH Debug Logs. Once enabled, the ratel server will show up the badger checking in everytime it calls back, until disabled. Debug logs show up in the ratel server logs.

User Activity

Brute Commander provides detailed logs of all the commands executed by the user alongside the respective MITRE tactics and techniques for audit purpose. This contains short commands, full commands, time and mitre information as to when the command was executed and how many times a user executed a specific command. You can access the activity log by selecting Server->User Activity. You can filter out a specific user by selecting the user from the drop down menu and export the logs into CSV.

MITRE Team Activity

Unlike Brute Ratel MITRE Map, which provides a MITRE graph of all the Brute Ratel commands, MITRE Team Activity displays a MITRE graph only for the commands executed by the Red Team/Adversary Simulation Team. This can help to narrow down which type of commands worked the most during a Red Team engagement and to list them out during reporting.

Brute Ratel MITRE Map

All of the Badger commands of Brute Ratel can be viewed in a node based MITRE graph which shows the respective tactics and techniques. This can be accessed from Server Config->Brute Ratel MITRE Map.