Autoruns

Brute Ratel can automate initial command execution for badgers using the autoruns profiler. These autoruns will automatically execute for every badger that connects for the first time. This feature can be extremely helpful during red team scenarios when you want the badger to execute a specific set of commands as soon as it connects for the first time. For example, if a badger is running in a different timezone and you want to run some commands automatically and then make the badger sleep for a long duration. Or if you are performing an Adversary simulation for a specific threat actor and want to execute all commands related to the threat actor one after the other. These autoruns can be configured either by adding them manually as well in the C4 profile or from the Brute Commander GUI.

{
    "autoruns": [
        "sleep 60 30",
        "set_child werfault.exe",
        "id",
        "get_privs",
        "dcenum"
    ]
}

During my red team engagements, I found myself waiting for payload connections so that I can send a specific set of initial commands that I always run. But when your payloads are supposed to be executed via a phish, it might generally take a good amount of time because you never know when a user would execute them. So, I built this feature where you can pre-configure some commands on the server itself, so that whenever a badger connects, any command that exist in the autoruns list would be sent to them on their first connection.

To Add Autoruns from the Brute Commander, select C4 Profiler->Autoruns.

In the Badger Console, the output clearly states which commands were run by a user and which was automated.