Watchlist

The Watchlist displays multiple metadata of the server, badger, users and events to the user. The Watchlist is divided into multiple different parts.

Event Viewer

Event Viewer displays notifications for new badgers, users, listener creation/deletion and any other modifications done to the server or the payload.

Latest Web Activity

This part of the watchlist shows the latest web activity on the server. This area will not show all the logs. It will show only the last one web activity seen on the server to notify the user about the latest scans/connects on the listener. For a detailed view of the server/listener logs, the user can access Log Viewer.

Statistics

Statistics show a quick count of the badgers, pivots, privileged badgers, workstations, unique users compromised and the count of external IPs that the badgers connected from.

Command Queue

Badgers are asynchronous in nature. Once a badger completes its sleep cycle, it will connect to the server to request all the tasks in queue, download the tasks, run the requested command and return a response during the next connection cycle. When a badger is in stasis, the commands are held in queue in the server. These queued commands can be viewed by navigating to the Archives tab and clicking the View badger’s command queue button.

If you mistakenly typed in a command and want to cancel it before a badger connects, you can do so by right clicking the badger and selecting Clear Cmd-Q.

PsExec Config

PsExec feature was introduced in version 0.3 of Brute Ratel. PsExec creates a service on a given remote system and starts it using Remote Procedure Calls (RPC). Unlike Microsoft’s PsExec which uses CreateProcess to pipe cmd.exe over SMB, BRc4’s PsExec service contains a shellcode blob for a payload profile provided during the execution of PsExec. This payload can either be SMB, HTTP or a TCP payload and doesn’t necessarily limit you to just SMB badgers. One of the most important OpSec consideration during lateral movement is to keep yourself disguised as a legitimate service. Several PsExec options such as service name, description, service executable name and the type of payload to execute on the remote host are customizable on-the-go. This can be configued by selecting C4 Profiler->PsExec Config. It allows to change the service names and description when a PsExec Service is created on the host.

Once you’ve set the configuration, you can view the existing configuration from the ‘Archives’ tab and then clicking on the ‘PsExec Config’ button as can be seen in the image below.

Scratchpad

Scratchpad is a simple text editor which can be accessed in the Archives tab. Scratchpad stores everything in memory. It can be used either to store some quick comments like a usual notepad, or it can be used to view logs, downloaded text files, C4 profilers and any other type of text files.