Brute Ratel C4 (BRC4) is a commercial adversary simulation framework written by Chetan Nayak (@NinjaParanoid) that first appeared publicly in 2020 and entered active threat actor use by 2022. Unlike Cobalt Strike, which was built for legitimate red team use and subsequently cracked and pirated, BRC4 found threat actor adoption at retail pricing — APT29 (Cozy Bear) was documented by Unit42 using legitimate BRC4 licenses in 2022. Since then, ALPHV/BlackCat affiliates, state-sponsored groups, and financially motivated intrusion teams have all been observed deploying Badger implants in live intrusions.
The reason for adoption is straightforward: BRC4 was engineered from the ground up to defeat user-mode EDR hooks, specifically targeting the pattern that most endpoint detection relies on. Understanding its detection surface requires understanding that evasion architecture first.
Why BRC4 Is Harder to Detect Than Cobalt Strike
Cobalt Strike Beacons execute Windows API calls in ways that EDR sensors can intercept by hooking ntdll.dll functions in user-mode memory. BRC4 routes around this by issuing direct system calls to the Windows kernel, bypassing the user-mode hooks entirely. The implant identifies syscall numbers dynamically at runtime, avoiding the hardcoded stub patterns that signature detection looks for in unhooked-ntdll approaches.
BRC4 also actively removes EDR hooks from ntdll.dll at startup (NTDLL unhooking), by mapping a clean copy of ntdll from disk or a known-good source, then overwriting the hooked in-memory copy. The result is that even if the EDR is running, the hooks it placed in ntdll are gone before any payload executes.
This means behavioural detection on stable kernel and network artifacts is the viable path. Per-build configurable profiles and compile-time randomisation mean signature-based approaches on implant bytes degrade quickly.
Named Pipe Artifacts
The Badger implant communicates over SMB named pipes for lateral movement between infected systems. Default pipe names are configurable but operators frequently leave defaults. Known default and observed patterns include:
\\.\pipe\msse-{4-digit number}-server— default SMB C2 pipe\\.\pipe\{random GUID}— process injection payload staging\\.\pipe\postex_{hex string}— post-exploitation module output
Named pipe creation events in Windows Security event ID 5145 (network share object access) and Sysmon Event ID 17/18 (named pipe create/connect) provide the most reliable detection surface.
Sigma rule — BRC4 default named pipe pattern:
title: Brute Ratel C4 Default Named Pipe Pattern
id: a7c2e018-4f3b-4d89-9101-b5e2c8f1a334
status: experimental
description: Detects Brute Ratel C4 Badger default and commonly observed named pipe names used for SMB C2 and post-exploitation staging.
references:
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
- https://attack.mitre.org/software/S1063/
author: SOC Analyst Hub
date: 2026-06-28
tags:
- attack.defense_evasion
- attack.t1055
- attack.lateral_movement
- attack.t1021.002
logsource:
product: windows
category: pipe_created
detection:
selection:
PipeName|contains:
- '\msse-'
- '\postex_'
PipeName|re: '\\msse-\d{4}-server'
condition: selection
falsepositives:
- Legitimate red team exercises (validate against change management)
level: high
Process Injection via Direct Syscalls
BRC4 injects shellcode into remote processes using NtCreateSection and NtMapViewOfSection rather than the commonly detected CreateRemoteThread/WriteProcessMemory pattern. The injection targets long-lived, trusted host processes: svchost.exe, explorer.exe, notepad.exe.
Detection relies on cross-process handle access patterns. Sysmon Event ID 10 captures process access events with the granted access rights. The combination of PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD (0x1fffff) granted from an unusual parent is the indicator.
Sigma rule — Cross-process section mapping injection (BRC4 pattern):
title: Brute Ratel C4 Remote Section Mapping Process Injection
id: f9a3b112-8d21-4c7e-b6f3-a2e94c07b891
status: experimental
description: Detects cross-process handle access patterns consistent with NtCreateSection/NtMapViewOfSection injection used by BRC4 Badger.
references:
- https://www.vectra.ai/blog/how-attackers-use-brute-ratel-brc4
author: SOC Analyst Hub
date: 2026-06-28
tags:
- attack.defense_evasion
- attack.t1055.002
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith:
- '\svchost.exe'
- '\explorer.exe'
- '\dllhost.exe'
- '\notepad.exe'
GrantedAccess|contains: '0x1fffff'
filter_legitimate:
SourceImage|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter_legitimate
falsepositives:
- EDR and security tooling with deep inspection (tune SourceImage as needed)
level: high
Network Beaconing Signatures
BRC4’s HTTP/HTTPS C2 profiles are configurable, but observed deployments show consistent patterns. The Badger communicates over HTTPS with default and commonly used profile characteristics:
- Default User-Agent:
BrutRatel/C4(early versions) or randomised desktop browser UAs in later versions - URI patterns:
/update,/activity,/connectin default configurations - Jitter: 30% default, configurable between 0-100%
- Sleep interval: 5000ms default
- Response content type:
application/octet-streamwith encoded body
The most durable network detection anchors on process-to-IP connections from processes that should not initiate outbound HTTP: svchost.exe making outbound connections to non-Microsoft IPs on port 443.
KQL — Microsoft Sentinel / Defender for Endpoint:
// BRC4 Badger: outbound HTTPS from commonly injected process names
// Requires DeviceNetworkEvents
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("svchost.exe", "dllhost.exe", "notepad.exe", "explorer.exe")
| where RemotePort in (443, 80, 8080, 8443)
| where not(RemoteUrl endswith ".microsoft.com")
| where not(RemoteUrl endswith ".windows.com")
| where not(RemoteUrl endswith ".windowsupdate.com")
| summarize
ConnectionCount = count(),
DistinctIPs = dcount(RemoteIP),
DistinctURLs = dcount(RemoteUrl)
by InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName, bin(TimeGenerated, 15m)
| where ConnectionCount between (3 .. 60) // periodic beaconing range
| where DistinctIPs <= 3 // not mass scanning, targeted C2
| order by ConnectionCount desc
NTDLL Unhooking Detection
BRC4 reads a clean copy of ntdll.dll from disk to replace the in-memory hooked version. This creates a detectable file read of ntdll.dll by a non-system process, often at startup before any payload executes.
Sigma rule — ntdll.dll read from user-space process:
title: Potential NTDLL Unhooking via Disk Read
id: 3c7d9a55-e12f-4b88-8f7a-c6e31d4a8b02
status: experimental
description: Detects reading of ntdll.dll from disk by unexpected user-space processes, consistent with EDR hook removal used by BRC4 and other evasive implants.
author: SOC Analyst Hub
date: 2026-06-28
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\ntdll.dll'
filter_system:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_signed:
Signed: 'true'
condition: selection and not filter_system and not filter_signed
falsepositives:
- Security software and system utilities (tune by process path)
level: medium
MITRE ATT&CK Coverage
| Technique | ID | BRC4 Implementation |
|---|---|---|
| Process Injection: PE Injection | T1055.002 | NtCreateSection/NtMapViewOfSection |
| Application Layer Protocol: HTTP | T1071.001 | Configurable HTTP/HTTPS C2 profiles |
| Impair Defenses: Disable or Modify Tools | T1562.001 | NTDLL unhooking, EDR hook removal |
| Inter-Process Communication: Named Pipes | T1559.001 | SMB lateral movement via named pipe |
| Masquerading | T1036 | Process injection into legitimate host processes |
| Lateral Tool Transfer | T1570 | SMB pipe-based staging between systems |
Hunting Starting Points
- Search for pipe creation events matching
\msse-\d{4}-serverpattern in Sysmon EID 17 - Correlate
DeviceImageLoadEventsfor ntdll.dll loads from unsigned processes outside system directories - Hunt
DeviceNetworkEventsfor svchost/dllhost/notepad making periodic HTTPS connections to non-Microsoft infrastructure - Query
DeviceProcessEventsfor cmd.exe or powershell.exe spawned from injected host process PIDs - Look for NTDLL being mapped from disk (file read of
C:\Windows\System32\ntdll.dll) by user-space executables at startup
The Splunk SIEM content team published an updated BRC4 analytics story in May 2026 with additional detection logic. SOC Prime’s Uncoder platform includes community-contributed Sigma rules converted to Sentinel KQL and Splunk SPL format.