Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that may be related to Brute Ratel Red Teaming tool. This includes creation, modification and deletion of services, collection or data, ping IP, DNS cache, process injection, debug privileges adjustment, winlogon process duplicate token, lock workstation, get clipboard or screenshot and much more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-08-23
- Author: Teoderick Contreras, Splunk
- ID: 0ec9dbfe-f64e-46bb-8eb8-04e92326f513
Narrative
Brute RATEL BRC4 is the latest red-teaming tool that simulate several TTP’s. It uses several techniques like syscall, patching ETW/AMSI and written in native C to minimize noise in process command-line. This tool was seen in the wild being abused by some ransomware (blackcat) and adversaries in their campaigns to install the BRC4 agent that can serve as remote admin tool to compromise the target host or network.
Detections
| Name |
Technique |
Type |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Modification Of Wallpaper |
Defacement |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Windows Access Token Manipulation SeDebugPrivilege |
Create Process with Token, Access Token Manipulation |
Anomaly |
| Windows Access Token Manipulation Winlogon Duplicate Token Handle |
Token Impersonation/Theft, Access Token Manipulation |
Hunting |
| Windows Access Token Winlogon Duplicate Handle In Uncommon Path |
Token Impersonation/Theft, Access Token Manipulation |
Anomaly |
| Windows Defacement Modify Transcodedwallpaper File |
Defacement |
Anomaly |
| Windows Gather Victim Identity SAM Info |
Credentials, Gather Victim Identity Information |
Hunting |
| Windows Hijack Execution Flow Version Dll Side Load |
DLL Search Order Hijacking, Hijack Execution Flow |
Anomaly |
| Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
| Windows Input Capture Using Credential UI Dll |
GUI Input Capture, Input Capture |
Hunting |
| Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Hunting |
| Windows Process Injection With Public Source Path |
Process Injection, Portable Executable Injection |
Hunting |
| Windows Remote Access Software BRC4 Loaded Dll |
Remote Access Software, OS Credential Dumping |
Anomaly |
| Windows Service Created with Suspicious Service Path |
System Services, Service Execution |
TTP |
| Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
TTP |
| Windows Service Deletion In Registry |
Service Stop |
Anomaly |
Reference
source | version: 1