Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-08-23
  • Author: Teoderick Contreras, Splunk
  • ID: 0ec9dbfe-f64e-46bb-8eb8-04e92326f513

Narrative

Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP’s. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.

Detections

Name Technique Type
Executables Or Script Creation In Suspicious Path Masquerading TTP
Modification Of Wallpaper Defacement TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle Token Impersonation/Theft, Access Token Manipulation Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Token Impersonation/Theft, Access Token Manipulation Anomaly
Windows Defacement Modify Transcodedwallpaper File Defacement Anomaly
Windows Gather Victim Identity SAM Info Credentials, Gather Victim Identity Information Hunting
Windows Hijack Execution Flow Version Dll Side Load DLL Search Order Hijacking, Hijack Execution Flow Anomaly
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Input Capture Using Credential UI Dll GUI Input Capture, Input Capture Hunting
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Process Injection With Public Source Path Process Injection, Portable Executable Injection Hunting
Windows Remote Access Software BRC4 Loaded Dll Remote Access Software, OS Credential Dumping Anomaly
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP
Windows Service Deletion In Registry Service Stop Anomaly

Reference

source | version: 1