Analytics Story: Brute Ratel C4

Date: 2022-08-23 ID: 0ec9dbfe-f64e-46bb-8eb8-04e92326f513 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.

Why it matters

Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP's. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Modification Of Wallpaper Defacement TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle Token Impersonation/Theft, Access Token Manipulation Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Token Impersonation/Theft, Access Token Manipulation Anomaly
Windows Defacement Modify Transcodedwallpaper File Defacement Anomaly
Windows Gather Victim Identity SAM Info Credentials, Gather Victim Identity Information Hunting
Windows Hijack Execution Flow Version Dll Side Load DLL Search Order Hijacking, Hijack Execution Flow Anomaly
Windows Input Capture Using Credential UI Dll GUI Input Capture, Input Capture Hunting
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Process Injection With Public Source Path Process Injection, Portable Executable Injection Hunting
Windows Remote Access Software BRC4 Loaded Dll Remote Access Software, OS Credential Dumping Anomaly
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP
Windows Service Deletion In Registry Service Stop Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1