Security teams face a new generation of offensive tooling, and Brute Ratel C4 (BRC4) is leading the charge. Originally developed for legitimate red team exercises and security testing, BRC4’s powerful evasion and attack automation features have quickly made it a favorite tool for real-world attackers. Here’s what you need to know.
What is Brute Ratel?
Brute Ratel is a post-exploitation and command-and-control (C2) framework, created by Chetan Nayak, used to simulate advanced attacker behaviors. Its capabilities include:
- Stealth & evasion: Highly resistant to detection by EDR tools through userland hook removal, memory encryption, and sleep masking.
- Custom payload generation: Supports EXE, DLL, and shellcode payloads with flexible beaconing via HTTP/S, DNS, SMB, and DoH.
- Robust agent management: Uses "Badgers" as agents for executing attacker commands.
- Fileless operations: Operates fully in-memory, leaving minimal forensic traces.
- Highly customizable attack profiles: Supports unique malleable profiles to disguise communications as legitimate traffic.
How threat actors abuse Brute Ratel
1. Listener and malleable profile configuration
Attackers configure BRC4 to communicate over HTTP/S with several obfuscation and evasion techniques designed to bypass perimeter and network-based detections: Rotational domains and IPs Operators set up multiple domain names or IP addresses that rotate or change over time, helping evade static allow/block lists and threat intel feeds.
Custom malleable profiles
Attackers craft JSON-formatted requests and responses that mimic legitimate web traffic, making malicious communication blend into normal network noise.
Custom HTTP headers
Operators define their own HTTP headers, such as mimicking content-type headers like application/json, to make malicious traffic appear like regular API or web service communication.
Multiple URI paths
BRC4 allows the use of randomized or pre-defined URL paths that look like common web resources (e.g., /api/v1/data), increasing the chance of bypassing signature-based detections.
Fallback communication methods
If one communication channel is blocked, attackers can reconfigure payloads to failover to alternative domains or C2 servers without re-infecting the target.
2. EDR evasion
Attackers leverage several advanced evasion features in BRC4 to bypass runtime security mechanisms and avoid detection:
Userland unhooking
BRC4 targets user-mode API hooks placed by EDR and antivirus solutions. By removing these hooks from key Windows APIs, it disables the security software’s ability to inspect or block malicious behavior without raising alerts.
Sleep masking
During idle periods, BRC4 encrypts and hides its in-memory regions, making it difficult for memory scanners or EDRs to detect static or dormant payloads. This is particularly effective against solutions that monitor long-running processes for anomalous behavior.
Indirect syscalls
Instead of calling Windows APIs directly—where security tools often monitor execution—BRC4 uses indirect syscalls to obscure the call path, making it harder for security solutions to trace and flag malicious behavior.
Stack & thread spoofing
BRC4 manipulates the execution context of its running threads by spoofing stack frames and thread start addresses. This tricks analysis tools and debuggers into misinterpreting or overlooking malicious activity, allowing attackers to evade both manual and automated analysis.
3. Credential stealing and lateral movement
Attackers use BRC4 to execute credential theft and lateral movement operations with precision and stealth:
Kerberoasting attacks
BRC4 automates the enumeration of service principal names (SPNs) within Active Directory environments, allowing attackers to extract Kerberos ticket-granting service (TGS) tickets. These tickets can then be cracked offline to reveal plaintext service account passwords, providing elevated access to sensitive systems and services.
Session token theft
BRC4 enables attackers to capture and store authentication tokens from active user sessions. By reusing these tokens, attackers can impersonate privileged users such as domain administrators without needing to know their actual passwords, allowing seamless escalation of privileges.
Stealthy lateral movement
BRC4 provides multiple lateral movement techniques:
- SC divert: Modifies existing services on remote hosts to run attacker-controlled payloads without creating new services, reducing detection risk.
- SMB execution: Executes commands on remote systems using SMB protocols, leveraging existing administrative shares.
- PSExec-like execution: Deploys payloads remotely using techniques similar to Microsoft’s PSExec tool, without relying on additional binaries.
- WMI execution: Executes commands on remote systems through Windows Management Instrumentation (WMI), avoiding the need to drop executables to disk.
4. Process injection and memory techniques
BRC4 enables attackers to execute malicious code in stealthy and evasive ways by leveraging advanced process and memory manipulation techniques:
Shellcode injection into trusted processes
BRC4 can inject raw shellcode directly into the memory of legitimate system or user processes, allowing attacker-controlled code to run under the guise of trusted applications such as explorer.exe or svchost.exe, making detection by security tools much harder.
Reflective DLL loading for stealthy execution
Attackers use reflective DLL injection to load malicious DLLs into memory without ever writing them to disk. This minimizes forensic artifacts and allows payloads to execute in-memory, evading file-based detection mechanisms.
Inline C# execution without touching disk
BRC4 allows the execution of C# payloads entirely in memory using reflective or inline execution methods. This enables attackers to run .NET-based tools and scripts, such as credential harvesters or reconnaissance utilities, without writing executables to disk, reducing the likelihood of detection.
5. Avoiding repeated detection
Attackers reduce exposure by making it harder for defenders to capture, replay, or analyze their payloads:
One-time authentication keys
BRC4 embeds unique, single-use authentication keys into each payload. Once a payload is executed and connects back to the attacker’s command-and-control server, the key is invalidated. This prevents defenders from capturing the payload and replaying it in sandbox environments for analysis or generating detection signatures based on repeated executions.
Preventing payload reuse
By invalidating used authentication keys, BRC4 ensures that the same payload cannot be used again by defenders or other attackers. This limits defenders’ ability to perform reverse engineering or build reliable threat intelligence from a captured sample.
Limiting forensic analysis
Since every payload is uniquely keyed and expires after first use, defenders face significant challenges in conducting static or dynamic analysis on live samples, forcing them to rely on behavioral detection rather than signature-based methods.
Brute Ratel vs. Cobalt Strike
While Brute Ratel and Cobalt Strike offer almost the same range of offensive security features—including payload generation, command-and-control capabilities, and post-exploitation tooling—their architecture and evasion methods differ significantly.
Cobalt Strike, first released in 2012, became the industry standard for red team operations but was not originally designed with modern EDRs in mind. Brute Ratel, released in 2020, was purpose-built to evade contemporary EDR and antivirus solutions.
When first introduced, BRC4 was relatively unknown to defensive tools, allowing it to bypass most security products. Today, most EDR vendors have adapted and now include detection signatures for BRC4 activities.
How Vectra AI detects Brute Ratel operations
Vectra AI detects BRC4 behaviors across every phase of the attack chain by analyzing attacker tactics, techniques, and procedures mapped to the MITRE ATT&CK framework. This includes detection of behaviors that extend beyond malware signatures or known indicators of compromise (IOCs).
Vectra AI focuses on the following high-risk activities that reflect real attacker behaviors, regardless of the specific tool being used, including Brute Ratel:
- Privilege anomalies: Detects unusual identity usage and privilege escalations.
- Suspicious remote execution: Identifies lateral movement via SMB, WMI, and service manipulation.
- Hidden C2 tunnels: Uncovers covert beaconing using HTTP/S, DNS, or DoH.
- Credential abuse: Spots Kerberoasting and token impersonation.
- Data exfiltration & ransomware: Detects bulk data theft and file encryption activity.
Vectra AI’s coverage of the MITRE ATT&CK Framework
Ready to test your defenses?
The best way to prepare for attacks leveraging tools like Brute Ratel is through an Offensive Security Assessment. Our experts simulate these techniques in your environment, helping you validate your defenses and improve your detection and response capabilities. Contact us to schedule your assessment today!