Skip to main content

Brute Ratel Github

It supports multiple protocols for C2 traffic, including HTTP, HTTPS, DNS, and SMB, often mimicking legitimate web traffic.

Brute Ratel provides remarkable flexibility in how Badgers communicate with their C2 servers. Alongside standard HTTPS, operators can write that route traffic through legitimate services like Slack, Discord, and Microsoft Teams. This "living off the land" approach makes malicious traffic nearly indistinguishable from normal business communications. The SMB and TCP payloads also support custom external C2 channels, and the framework offers multiple pivot options including SMB, TCP, WMI, WinRM, and remote service management over RPC.

In the GUI, you use the C4 Profiler to add a listener. You can configure the protocol (HTTP, HTTPS, DNS), define URIs, and set other connection parameters. brute ratel github

# Set the username or token list USERNAME_LIST = ["user1", "user2", "user3"]

: Provides the core specifications and examples needed for users to build their own external Command and Control (C2) servers and connectors, allowing the Badger to communicate over non-standard channels. Third-Party & Security Tools It supports multiple protocols for C2 traffic, including

Open-source scripts, profiles, and extensions written by legitimate red teamers to enhance Brute Ratel's capabilities.

is a commercial command-and-control (C2) and adversarial attack simulation framework designed for red teaming. Unlike many security tools found on GitHub, the core Brute Ratel software is not open source and is sold as a licensed product to verified security organizations. Brute Ratel on GitHub This "living off the land" approach makes malicious

Like Cobalt Strike, Brute Ratel allows operators to deploy "Badgers" (the equivalent of beacons) on remote hosts. These Badgers connect back to the attacker's command and control server to receive commands or transmit output. However, while Cobalt Strike's beacons have been extensively studied and signatures developed, Brute Ratel's relative newness and focus on evasion mean that many security solutions still do not recognize it as malicious.

By bypassing standard Windows API libraries and issuing direct system calls, Brute Ratel prevents EDR hooks from monitoring its activity.

Brute Ratel was engineered from the ground up to evade modern Endpoint Detection and Response (EDR) and Antivirus (AV) solutions. Its primary features include: