Analytics Story: Brute Ratel C4

Updated Date: 2026-05-13 ID: 0ec9dbfe-f64e-46bb-8eb8-04e92326f513 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.

Why it matters

Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Modification Of Wallpaper	Defacement	TTP
Windows Suspicious C2 Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Windows Hijack Execution Flow Version Dll Side Load	DLL	Anomaly
Windows Suspicious Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Windows Service Deletion In Registry	Service Stop	Anomaly
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Windows Input Capture Using Credential UI Dll	GUI Input Capture	Hunting
Windows Remote Access Software BRC4 Loaded Dll	OS Credential Dumping, Remote Access Tools	Anomaly
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Token Impersonation/Theft	Anomaly
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token	Anomaly
Windows Defacement Modify Transcodedwallpaper File	Defacement	Anomaly
Windows Process Injection With Public Source Path	Portable Executable Injection	Hunting
Windows Service Created with Suspicious Service Name	Service Execution	Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Token Impersonation/Theft	Hunting
Windows Gather Victim Identity SAM Info	Credentials	Hunting
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	Anomaly
HTTP C2 Framework User Agent	Web Protocols	TTP
Windows Service Created with Suspicious Service Path	Service Execution	TTP
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment	Hunting
Windows ISO LNK File Creation	Malicious Link, Spearphishing Attachment	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 18	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 17	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 10	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4703	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 8	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
Suricata	Other	`suricata`	`not_applicable`

References

Source: GitHub | Version: 2