惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
V2EX
V
Visual Studio Blog
博客园_首页
Last Week in AI
Last Week in AI
Apple Machine Learning Research
Apple Machine Learning Research
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Martin Fowler
Martin Fowler
Recent Announcements
Recent Announcements
J
Java Code Geeks
月光博客
月光博客
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
F
Fortinet All Blogs
P
Privacy & Cybersecurity Law Blog
C
CERT Recently Published Vulnerability Notes
C
CXSECURITY Database RSS Feed - CXSecurity.com
B
Blog RSS Feed
S
Schneier on Security
酷 壳 – CoolShell
酷 壳 – CoolShell
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
W
WeLiveSecurity
A
Arctic Wolf
U
Unit 42
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
有赞技术团队
有赞技术团队
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
大猫的无限游戏
大猫的无限游戏
Microsoft Security Blog
Microsoft Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
量子位
B
Blog
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
H
Help Net Security
博客园 - 叶小钗
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 热门话题
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
雷峰网
雷峰网
TaoSecurity Blog
TaoSecurity Blog
Schneier on Security
Schneier on Security

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
How attackers use Brute Ratel (BRC4)
Zoey Chu · 2026-03-11 · via Vectra AI Blog

Security teams face a new generation of offensive tooling, and Brute Ratel C4 (BRC4) is leading the charge. Originally developed for legitimate red team exercises and security testing, BRC4’s powerful evasion and attack automation features have quickly made it a favorite tool for real-world attackers. Here’s what you need to know.

What is Brute Ratel?

Brute Ratel is a post-exploitation and command-and-control (C2) framework, created by Chetan Nayak, used to simulate advanced attacker behaviors. Its capabilities include:

  1. Stealth & evasion: Highly resistant to detection by EDR tools through userland hook removal, memory encryption, and sleep masking.
  2. Custom payload generation: Supports EXE, DLL, and shellcode payloads with flexible beaconing via HTTP/S, DNS, SMB, and DoH.
  3. Robust agent management: Uses "Badgers" as agents for executing attacker commands.
  4. Fileless operations: Operates fully in-memory, leaving minimal forensic traces.
  5. Highly customizable attack profiles: Supports unique malleable profiles to disguise communications as legitimate traffic.

How threat actors abuse Brute Ratel

1. Listener and malleable profile configuration

Attackers configure BRC4 to communicate over HTTP/S with several obfuscation and evasion techniques designed to bypass perimeter and network-based detections: Rotational domains and IPs Operators set up multiple domain names or IP addresses that rotate or change over time, helping evade static allow/block lists and threat intel feeds.

Custom malleable profiles

Attackers craft JSON-formatted requests and responses that mimic legitimate web traffic, making malicious communication blend into normal network noise.

Custom HTTP headers

Operators define their own HTTP headers, such as mimicking content-type headers like application/json, to make malicious traffic appear like regular API or web service communication.

Multiple URI paths

BRC4 allows the use of randomized or pre-defined URL paths that look like common web resources (e.g., /api/v1/data), increasing the chance of bypassing signature-based detections.

Fallback communication methods

If one communication channel is blocked, attackers can reconfigure payloads to failover to alternative domains or C2 servers without re-infecting the target.

Screenshot of the Brute Ratel interface showing HTTP Listener set up

Screenshot of the Brute Ratel interface showing HTTP Listener set up

2. EDR evasion

Attackers leverage several advanced evasion features in BRC4 to bypass runtime security mechanisms and avoid detection:

Userland unhooking

BRC4 targets user-mode API hooks placed by EDR and antivirus solutions. By removing these hooks from key Windows APIs, it disables the security software’s ability to inspect or block malicious behavior without raising alerts.

Sleep masking

During idle periods, BRC4 encrypts and hides its in-memory regions, making it difficult for memory scanners or EDRs to detect static or dormant payloads. This is particularly effective against solutions that monitor long-running processes for anomalous behavior.

Indirect syscalls

Instead of calling Windows APIs directly, where security tools often monitor execution, BRC4 uses indirect syscalls to obscure the call path, making it harder for security solutions to trace and flag malicious behavior.

Stack & thread spoofing

BRC4 manipulates the execution context of its running threads by spoofing stack frames and thread start addresses. This tricks analysis tools and debuggers into misinterpreting or overlooking malicious activity, allowing attackers to evade both manual and automated analysis.

Screenshot comparing BRC4 and Cobalt Strike threads

Screenshot comparing BRC4 and Cobalt Strike threads

3. Credential stealing and lateral movement

Attackers use BRC4 to execute credential theft and lateral movement operations with precision and stealth:

Kerberoasting attacks

BRC4 automates the enumeration of service principal names (SPNs) within Active Directory environments, allowing attackers to extract Kerberos ticket-granting service (TGS) tickets. These tickets can then be cracked offline to reveal plaintext service account passwords, providing elevated access to sensitive systems and services.

Session token theft

BRC4 enables attackers to capture and store authentication tokens from active user sessions. By reusing these tokens, attackers can impersonate privileged users such as domain administrators without needing to know their actual passwords, allowing seamless escalation of privileges.

Stealthy lateral movement

BRC4 provides multiple lateral movement techniques:

  • SC divert: Modifies existing services on remote hosts to run attacker-controlled payloads without creating new services, reducing detection risk.
  • SMB execution: Executes commands on remote systems using SMB protocols, leveraging existing administrative shares.
  • PSExec-like execution: Deploys payloads remotely using techniques similar to Microsoft’s PSExec tool, without relying on additional binaries.
  • WMI execution: Executes commands on remote systems through Windows Management Instrumentation (WMI), avoiding the need to drop executables to disk.

Screenshot of the BRC4 interface showing payload profiler

Screenshot of the BRC4 interface showing payload profiler

4. Process injection and memory techniques

BRC4 enables attackers to execute malicious code in stealthy and evasive ways by leveraging advanced process and memory manipulation techniques:

Shellcode injection into trusted processes

BRC4 can inject raw shellcode directly into the memory of legitimate system or user processes, allowing attacker-controlled code to run under the guise of trusted applications such as explorer.exe or svchost.exe, making detection by security tools much harder.

Reflective DLL loading for stealthy execution

Attackers use reflective DLL injection to load malicious DLLs into memory without ever writing them to disk. This minimizes forensic artifacts and allows payloads to execute in-memory, evading file-based detection mechanisms.

Inline C# execution without touching disk

BRC4 allows the execution of C# payloads entirely in memory using reflective or inline execution methods. This enables attackers to run .NET-based tools and scripts, such as credential harvesters or reconnaissance utilities, without writing executables to disk, reducing the likelihood of detection.

Screenshot of BRC4's process injection capability

Screenshot of BRC4's process injection capability

5. Avoiding repeated detection

Attackers reduce exposure by making it harder for defenders to capture, replay, or analyze their payloads:

One-time authentication keys

BRC4 embeds unique, single-use authentication keys into each payload. Once a payload is executed and connects back to the attacker’s command-and-control server, the key is invalidated. This prevents defenders from capturing the payload and replaying it in sandbox environments for analysis or generating detection signatures based on repeated executions.

Preventing payload reuse

By invalidating used authentication keys, BRC4 ensures that the same payload cannot be used again by defenders or other attackers. This limits defenders’ ability to perform reverse engineering or build reliable threat intelligence from a captured sample.

Limiting forensic analysis

Since every payload is uniquely keyed and expires after first use, defenders face significant challenges in conducting static or dynamic analysis on live samples, forcing them to rely on behavioral detection rather than signature-based methods.

Screenshot of BRC4 showing one-time authentication function

Screenshot of BRC4 showing the one-time authentication function

Brute Ratel vs. Cobalt Strike

While Brute Ratel and Cobalt Strike offer almost the same range of offensive security features (including payload generation, command-and-control capabilities, and post-exploitation tooling) their architecture and evasion methods differ significantly.

Cobalt Strike, first released in 2012, became the industry standard for red team operations but was not originally designed with modern EDRs in mind. Brute Ratel, released in 2020, was purpose-built to evade contemporary EDR and antivirus solutions.

When first introduced, BRC4 was relatively unknown to defensive tools, allowing it to bypass most security products. Today, most EDR vendors have adapted and now include detection signatures for BRC4 activities.

How Vectra AI detects Brute Ratel operations

Vectra AI detects BRC4 behaviors across every phase of the attack chain by analyzing attacker tactics, techniques, and procedures mapped to the MITRE ATT&CK framework. This includes detection of behaviors that extend beyond malware signatures or known indicators of compromise (IOCs).

Vectra AI focuses on the following high-risk activities that reflect real attacker behaviors, regardless of the specific tool being used, including Brute Ratel:

  • Privilege anomalies: Detects unusual identity usage and privilege escalations.
  • Suspicious remote execution: Identifies lateral movement via SMB, WMI, and service manipulation.
  • Hidden C2 tunnels: Uncovers covert beaconing using HTTP/S, DNS, or DoH.
  • Credential abuse: Spots Kerberoasting and token impersonation.
  • Data exfiltration & ransomware: Detects bulk data theft and file encryption activity.

Vectra AI’s coverage of the MITRE ATT&CK Framework

Ready to test your defenses?

The best way to prepare for attacks leveraging tools like Brute Ratel is through an Offensive Security Assessment. Our experts simulate these techniques in your environment, helping you validate your defenses and improve your detection and response capabilities. Contact us to schedule your assessment today!