forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbrute_ratel_c4.yml
27 lines (27 loc) · 1.3 KB
/
brute_ratel_c4.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Brute Ratel C4
id: 0ec9dbfe-f64e-46bb-8eb8-04e92326f513
version: 1
date: '2022-08-23'
author: Teoderick Contreras, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services,
collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token,
lock workstation, get clipboard or screenshot and much more.
narrative: Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques
like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen
in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent
that can serve as remote admin tool to compromise the target host or network.
references:
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
- https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
tags:
analytic_story: Brute Ratel C4
category:
- Data Destruction
- Malware
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection