Analytics Story: Brute Ratel C4

Date: 2022-08-23 ID: 0ec9dbfe-f64e-46bb-8eb8-04e92326f513 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.

Why it matters

Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Process File Path Create or Modify System Process TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Modification Of Wallpaper Defacement TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle Token Impersonation/Theft Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Token Impersonation/Theft Anomaly
Windows Defacement Modify Transcodedwallpaper File Defacement Anomaly
Windows Gather Victim Identity SAM Info Credentials Hunting
Windows Hijack Execution Flow Version Dll Side Load DLL Search Order Hijacking Anomaly
Windows Input Capture Using Credential UI Dll GUI Input Capture Hunting
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Windows Process Injection With Public Source Path Portable Executable Injection Hunting
Windows Remote Access Software BRC4 Loaded Dll Remote Access Software, OS Credential Dumping Anomaly
Windows Service Created with Suspicious Service Name Service Execution Anomaly
Windows Service Created with Suspicious Service Path Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Service Deletion In Registry Service Stop Anomaly
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1