S1063: Brute Ratel C4
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[1][2][3][4][5]
Analyst context for executives and security teams
Brute Ratel C4 matters because it is a commercial red-team/adversary simulation tool designed to challenge EDR and AV visibility, with Windows agents (“badgers”) that can support command execution, lateral movement, privilege escalation, persistence, discovery, collection, and command-and-control behaviors. For leaders, the decision value is not the tool name alone: it is whether the organization can detect and investigate stealthy post-compromise activity that may look like legitimate administration, web/DNS traffic, or normal Windows management.
Executive priority
Prioritize this as a resilience and readiness test for Windows endpoint, identity, network, and SOC operations. ATT&CK provides no official detection guidance for this software entry, so executives should ask whether current controls can prove coverage across the related behaviors: remote services and admin shares, WinRM/WMI execution, domain account and group discovery, suspicious C2 over web/DNS/non-application protocols, tool transfer, process injection, masquerading, and local data collection. This is also useful audit evidence: defensive teams should be able to show telemetry exists, alerts are tuned, and incident responders have playbooks for stealthy red-team-style tooling that may be abused outside authorized testing.
Technical view
Validate behavior-based detection rather than relying only on product or filename signatures. The object is a Windows tool, but many related ATT&CK techniques span other platforms; start with Windows coverage for the tool and use the related techniques to guide broader enterprise checks. SOC and IR teams should correlate endpoint process, command-line, module/API, file, registry, authentication, SMB, WinRM, WMI, DNS, proxy, firewall, and EDR telemetry. High-value behavior chains include malicious-file execution followed by obfuscated payload activity, native API or PE injection, domain/user/group discovery, network service discovery, lateral movement through SMB admin shares or WinRM, ingress tool transfer, local data collection or screen capture, and C2 over HTTP/S, DNS, web services, or non-application-layer protocols.
Likely telemetry
- Windows endpoint process creation and command-line events, including cmd.exe and administrative tool usage
- EDR/AV prevention and detection events, including suspicious memory, injection, and evasion indicators
- WMI and WinRM operational logs and remote execution evidence
- Windows authentication logs, especially domain logons and remote service access
- SMB and Windows admin share access records
Detection direction
- Use behavior correlations across the related techniques instead of a single indicator-based rule, because the official description notes the tool was designed to avoid EDR and AV capabilities and no official ATT&CK detection text is provided.
- Tune for suspicious combinations: user-opened file or new executable, obfuscation/deobfuscation, unusual child processes, API-heavy execution, process injection, discovery commands, and outbound C2-like traffic.
- Baseline legitimate administration for SMB admin shares, WinRM, WMI, domain enumeration, and network service discovery; these are common false-positive areas but become higher-risk when paired with new binaries, unusual source hosts, or external communications.
- Review DNS, web, and non-application-protocol egress visibility, since related C2 techniques include Web Protocols, DNS, Web Service, and Non-Application Layer Protocol.
- Confirm detection engineering covers masquerading and file-type mismatch behaviors, not just known hashes or names.
Mitigation priorities
- Establish strict governance for any approved adversary simulation tooling, including authorization, scope, logging, and post-test evidence review.
- Harden Windows remote administration paths: restrict SMB admin shares, WinRM, and WMI usage to approved administrators and management hosts.
- Strengthen identity controls around domain accounts and groups, including least privilege and monitoring for unusual enumeration or remote logon patterns.
- Improve egress control and monitoring for web, DNS, web service, and unusual protocol communications from endpoints.
- Ensure endpoint controls are configured to monitor memory/injection, suspicious API usage, obfuscated files, masquerading, and unauthorized tool transfer.
Analyst notes and limits
This take is based on the ATT&CK software entry for Brute Ratel C4 and its supplied relationships. The most defensible defensive approach is to map coverage to the related techniques: execution through command shell, WMI, native API, malicious files; lateral movement through remote services, SMB admin shares, and WinRM; discovery; evasion through obfuscation, masquerading, dynamic API resolution, and PE injection; collection; ingress transfer; and C2 over web, DNS, web services, and other protocols.
ATT&CK does not provide official detection guidance or tactics directly on this software object, and the supplied platform for the tool is Windows. Relationship techniques include broader platforms, but those should not be treated as proof that this specific tool operates on every related platform. Local validation is required to determine actual telemetry quality, alert coverage, false positives, and authorized red-team usage.
Brute Ratel C4
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Brute Ratel C4 has injected Latrodectus into the Explorer.exe process on comrpomised hosts.CitationRapid7 Fake W2 July 2024 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Brute Ratel C4 can create Windows system services for execution.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Brute Ratel C4 can use cmd.exe for execution.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | Brute Ratel C4 can use WinRM for pivoting.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1113 | Screen Capture | Brute Ratel C4 can take screenshots on compromised hosts.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1057 | Process Discovery | Brute Ratel C4 can enumerate all processes and locate specific process IDs (PIDs).CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.CitationPalo Alto Brute Ratel July 2022CitationMDSec Brute Ratel August 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | Brute Ratel C4 can use WMI to move laterally.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Brute Ratel C4 has used a payload file named OneDrive.update to appear benign.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.CitationPalo Alto Brute Ratel July 2022CitationMDSec Brute Ratel August 2022CitationDark Vortex Brute Ratel C4 |
| Enterprise | T1005 | Data from Local System | Brute Ratel C4 has the ability to upload files from a compromised system.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Brute Ratel C4 has the ability to deobfuscate its payload prior to execution.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Brute Ratel C4 can use `net group` for discovery on targeted domains.CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1572 | Protocol Tunneling | Brute Ratel C4 can use DNS over HTTPS for C2.CitationPalo Alto Brute Ratel July 2022CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Brute Ratel C4 can detect EDR userland hooks.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1685 | Disable or Modify Tools | Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).CitationPalo Alto Brute Ratel July 2022CitationMDSec Brute Ratel August 2022 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Brute Ratel C4 can use LDAP queries, `net group "Domain Admins" /domain` and `net user /domain` for discovery.CitationPalo Alto Brute Ratel July 2022CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1021 | Remote Services | Brute Ratel C4 has the ability to use RPC for lateral movement.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1620 | Reflective Code Loading | Brute Ratel C4 has used reflective loading to execute malicious DLLs.CitationMDSec Brute Ratel August 2022 |
| Enterprise | T1046 | Network Service Discovery | Brute Ratel C4 can conduct port scanning against targeted systems.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1482 | Domain Trust Discovery | Brute Ratel C4 can use LDAP queries and `nltest /domain_trusts` for domain trust discovery.CitationPalo Alto Brute Ratel July 2022CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1106 | Native API | Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.CitationPalo Alto Brute Ratel July 2022CitationMDSec Brute Ratel August 2022 |
| Enterprise | T1102 | Web Service | Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1071.004 | DNS Sub-technique | Brute Ratel C4 can use DNS over HTTPS for C2.CitationPalo Alto Brute Ratel July 2022CitationTrend Micro Black Basta October 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | Brute Ratel C4 has the ability to use TCP for external C2.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Brute Ratel C4 can download files to compromised hosts.CitationPalo Alto Brute Ratel July 2022CitationRapid7 Fake W2 July 2024 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | Brute Ratel C4 can call and dynamically resolve hashed APIs.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Brute Ratel C4 can call `NtDelayExecution` to pause execution.CitationPalo Alto Brute Ratel July 2022CitationMDSec Brute Ratel August 2022 |
| Enterprise | T1574.001 | DLL Sub-technique | Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.CitationPalo Alto Brute Ratel July 2022 Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | Brute Ratel C4 can decode Kerberos 5 tickets and convert it to hashcat format for subsequent cracking.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Brute Ratel C4 has gained execution through users opening malicious documents.CitationPalo Alto Brute Ratel July 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.CitationPalo Alto Brute Ratel July 2022CitationTrend Micro Black Basta October 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 298aa28db36c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dark Vortex Brute Ratel C4
Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023.
Open source URL -
[2]
Palo Alto Brute Ratel July 2022
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
Open source URL -
[3]
MDSec Brute Ratel August 2022
Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
Open source URL -
[4]
SANS Brute Ratel October 2022
Thomas, W. (2022, October 5). Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground. Retrieved February 6, 2023.
Open source URL -
[5]
Trend Micro Black Basta October 2022
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
Open source URL -
[6]
BRc4
(Citation: Palo Alto Brute Ratel July 2022)
-
[7]
mitre-attack S1063Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.