Threat Synopsis – Red Team Tools
Over the years Threat Actors have steadily adopted the use of red team tools (sometimes referred to as offensive security tools), most notably Cobalt Strike. These tools have tremendous power, utility and are steadily updated with new capabilities and techniques to evade detection or perform actions in a compromised environment. Recently a Red Team tool with EDR evasion focus, called Brute Ratel made its way into Threat Actors’ hands. This tool specifically works diligently to evade EDR tools that may prevent its delivery, installation, execution or post execution commands. Although these tools are designed for security professionals to find potential vulnerabilities and breach systems in order to better prepare an organization for cyberattacks in the future, they are more commonly being utilized by Threat Actors for their robustness.
This collection is aimed at providing Hunt Packages to best identify delivery, installation or post compromise activities related to Red Team tools. It is important to note that while some Hunt Packages may focus specifically on a given tool, some Hunt Packages are included in this collection that identify common delivery techniques employed by users of these tools, where its known the end goal is to install a Red Team tool. Identifying the delivery of these tools can be very beneficial, as to capture the activity as close to the beginning of the attack is crucial for limiting impacts impact and scope.
This collection of threat Hunt Packages gives visibility to a number of techniques that are observed within Red Team Toolsets that can be (and have been) abused by malicious actors and malware variants. Tactics that include (but not limited to); UAC bypass, service installation, process execution, living off the land attacks, Command and Control, and loading of malicious DLL’s.
[Cobalt Strike] Cobalt Strike is a fully-featured and commercially available penetration testing tool offered for “Adversary Simulations and Red Team Operations” – however its significant customization and capabilities have led to its use by a wide variety of threat actors for a variety of motivations. Adversaries are known to use it as a Command and Control tool, abusing Cobalt Strike “beacons” embedded into victim machines in order to issue commands remotely.
[Brute Ratel] Brute Ratel is an attack simulation and post-exploitation toolkit created by Chetan Nayak (a former red teamer for Mandiant and Crowdstrike), and released in 2020. With similarities to the well-known and almost ubiquitous “Cobalt Strike” red team toolkit, it has been observed in mid-2022 that cybercriminals are starting to move away from Cobalt Strike and using Brute Ratel instead. This can be attributed to the design of Brute Ratel being focused on avoiding detection by Endpoint Detection and Response solutions and antivirus products.
[Metasploit] Metasploit is an attack toolset used to aid in penetration testing and IDS signature development. This popular toolset allows Red Teams and/or attackers the framework to probe vulnerabilities on networks and servers, as well as tools that assist in carrying out attacks and evading detection (known as modules). The most commonly used modules include (but not limited to) the MSFconsole (which is the command-line interface for Metasploit), Exploit modules (used to target vulnerabilities), Post-exploitation modules (enumeration, hash dumping), and Payload modules (such as Meterpreter).
[Meterpreter] Meterpreter is a widely used attack payload within the Metasploit attack framework, that allows the adversary to have access to an interactive shell – giving them the capability to traverse and potentially execute malicious code on the victim’s machine. Deployed via in-memory DLL injection, it is known to leave evidence of its usage at a minimum.
[PowerShell Empire] PowerShell Empire is known as a post-exploitation tool that gives the user the ability to launch PowerShell agents without using the native PowerShell executable. The tool also has the capability to other post-exploitation modules that can range from evading detection, key logging to Mimikatz (tool that steals passwords).