The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool was released in December 2020. The most recent “Sicilian Defense” version was released in May 2022. Similar to Cobalt Strike, this tool has been embraced by legitimate adversary groups (APT actors and alike).
It provides a framework for developing pen testing tools, using a wide variety of techniques and attack vectors. All known Indicators of Compromise (IoCs), including samples, are convicted by CylancePROTECT.
The Force of BlackBerry Cylance
CylancePROTECT is the world’s first math- and machine learning-based endpoint protection product that detects previously “unknown” malware and prevents it from executing. It operates by analysing potential file executions for malware in less than 100 milliseconds.
Memory Protection
CylancePROTECT’s memory protection abilities are similar to those found in modern host intrusion prevention systems, but without the configuration complexity. Memory protection adds an additional layer of security and strengthens the OS’s basic protection features like data execution prevention, address space layout randomisation and enhanced mitigation experience toolkit.
BlackBerry Protect’s MemoryProtection is a great defense against attacks employing red-teaming tools such as BRc4 or Cobalt Strike, particularly considering payloads often execute in-memory and without the use of CMD.exe or PowerShell.exe. Script Control can also help prevent the delivery of red teaming stagers.
BlackBerry’s Recommendations
Due to the degree of configurability, BlackBerry recommends customers activate as many of the MemoryProtection options as they can (excluding any which may impact their environment), but in particular, the following options:
- Exploitation – Malicious Payload
- Exploitation – System DLL Overwrite
- Process Injection – Remote Thread Creation
- Escalation – LSASS read
Protect Detection
BlackBerry recommends that Script Control be enabled for all script types, and for customers using version 1580 or higher, activation of ‘Dangerous VBA Macro’ and ‘Dangerous COM Object’ violation types under Memory Actions.
Optics Rules
Script Control coverage (available with Optics):
– Hidden Powershell Execution
– PowerShell Encoded Command
– Fileless PowerShell Malware
– Powershell Download
– One-Liner ML Module
When deployed on servers, PROTECT’s memory protection capabilities prevent the exploitation of many of the most common classes of vulnerabilities, such as exploits for buffer overflows and uses-after-free. For more information, please contact the team by emailing blackberry@ignition-technology.com.
By Phill Parry, Senior Systems Engineer at Ignition Technology
References
https://unit42.paloaltonetworks.com/atoms/brute-ratel/
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
https://amp.hothardware.com/news/evasive-malware-dodges-detection-over-50-av-scanners
