Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The Brute Ratel framework is a pen testing and security assessment tool. A version of the tool was leaked and is now publicly available. Command-and-control (C&C) connections generated by Brute Ratel indicate that an attacker could remotely control a device and gain an entry point for further attacks on the network.
Kill Chain
Risk Score
60
Brute Ratel is a post-exploitation framework that is available for legitimate pen testing. However, a leaked version of the tool has been adopted by attackers for malicious activity. The Brute Ratel framework enables an attacker to disguise command-and-control (C&C) communications as legitimate traffic from a Brute Ratel agent, called a badger, installed on the victim device.
After the badger is installed, the victim sends periodic HTTP POST beacon messages to the C&C server. When the attacker is ready to provide instructions, the C&C server responds to the victim request. HTTP responses from the C&C server include tasks such as "sleep" or "run command". After executing the tasks sent by the server, the victim sends an HTTP POST request that includes encrypted information such as metadata or command output. The Brute Ratel framework offers extensive features for generating shellcode, which makes the framework extremely efficient at bypassing firewalls and intrusion detection and prevention systems.
Quarantine the device while checking for the presence of malware
Monitor and investigate unusual network activity for lateral movement or data exfiltration
