Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The Brute Ratel framework is a pen testing and security assessment tool. A version of the tool was leaked and is now publicly available. Command-and-control (C&C) connections generated by Brute Ratel indicate that an attacker could remotely control a device and gain an entry point for further attacks on the network.
Kill Chain
Risk Score
60
Brute Ratel is a post-exploitation framework that is available for legitimate pen testing. However, a leaked version of the tool has been adopted by attackers for malicious activity. The Brute Ratel framework enables an attacker to disguise command-and-control (C&C) communications as legitimate traffic from a Brute Ratel agent, called a badger, installed on the victim device. When a badger initiates a TLS session with the Brute Ratel team server, the C&C server presents a self-signed certificate spoofing Microsoft Security.
After a TLS connection is established, the victim exchanges HTTP POST requests and responses with the C&C server, which appears to be a legitimate domain. HTTP responses from the C&C server include tasks such as "sleep" or "run command". After executing the tasks sent by the server, the victim sends an HTTP POST request that includes encrypted information such as metadata or command output. The Brute Ratel framework offers extensive features for generating shellcode, which makes the framework extremely efficient at bypassing firewalls and intrusion detection and prevention systems.
Quarantine the device while checking for the presence of malware
Monitor and investigate unusual network activity for lateral movement or data exfiltration
