Brute Ratel C4 (BRC4) is a commercial adversary simulation framework written by Chetan Nayak (@NinjaParanoid) that first appeared publicly in 2020 and entered active threat actor use by 2022. Unlike Cobalt Strike, which was built for legitimate red team use and subsequently cracked and pirated, BRC4 found threat actor adoption at retail pricing — APT29 (Cozy Bear) was documented by Unit42 using legitimate BRC4 licenses in 2022. Since then, ALPHV/BlackCat affiliates, state-sponsored groups, and financially motivated intrusion teams have all been observed deploying Badger implants in live intrusions.

The reason for adoption is straightforward: BRC4 was engineered from the ground up to defeat user-mode EDR hooks, specifically targeting the pattern that most endpoint detection relies on. Understanding its detection surface requires understanding that evasion architecture first.

Why BRC4 Is Harder to Detect Than Cobalt Strike

Cobalt Strike Beacons execute Windows API calls in ways that EDR sensors can intercept by hooking ntdll.dll functions in user-mode memory. BRC4 routes around this by issuing direct system calls to the Windows kernel, bypassing the user-mode hooks entirely. The implant identifies syscall numbers dynamically at runtime, avoiding the hardcoded stub patterns that signature detection looks for in unhooked-ntdll approaches.

BRC4 also actively removes EDR hooks from ntdll.dll at startup (NTDLL unhooking), by mapping a clean copy of ntdll from disk or a known-good source, then overwriting the hooked in-memory copy. The result is that even if the EDR is running, the hooks it placed in ntdll are gone before any payload executes.

This means behavioural detection on stable kernel and network artifacts is the viable path. Per-build configurable profiles and compile-time randomisation mean signature-based approaches on implant bytes degrade quickly.

Named Pipe Artifacts

The Badger implant communicates over SMB named pipes for lateral movement between infected systems. Default pipe names are configurable but operators frequently leave defaults. Known default and observed patterns include:

  • \\.\pipe\msse-{4-digit number}-server — default SMB C2 pipe
  • \\.\pipe\{random GUID} — process injection payload staging
  • \\.\pipe\postex_{hex string} — post-exploitation module output

Named pipe creation events in Windows Security event ID 5145 (network share object access) and Sysmon Event ID 17/18 (named pipe create/connect) provide the most reliable detection surface.

Sigma rule — BRC4 default named pipe pattern:

title: Brute Ratel C4 Default Named Pipe Pattern
id: a7c2e018-4f3b-4d89-9101-b5e2c8f1a334
status: experimental
description: Detects Brute Ratel C4 Badger default and commonly observed named pipe names used for SMB C2 and post-exploitation staging.
references:
  - https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
  - https://attack.mitre.org/software/S1063/
author: SOC Analyst Hub
date: 2026-06-28
tags:
  - attack.defense_evasion
  - attack.t1055
  - attack.lateral_movement
  - attack.t1021.002
logsource:
  product: windows
  category: pipe_created
detection:
  selection:
    PipeName|contains:
      - '\msse-'
      - '\postex_'
    PipeName|re: '\\msse-\d{4}-server'
  condition: selection
falsepositives:
  - Legitimate red team exercises (validate against change management)
level: high

Process Injection via Direct Syscalls

BRC4 injects shellcode into remote processes using NtCreateSection and NtMapViewOfSection rather than the commonly detected CreateRemoteThread/WriteProcessMemory pattern. The injection targets long-lived, trusted host processes: svchost.exe, explorer.exe, notepad.exe.

Detection relies on cross-process handle access patterns. Sysmon Event ID 10 captures process access events with the granted access rights. The combination of PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD (0x1fffff) granted from an unusual parent is the indicator.

Sigma rule — Cross-process section mapping injection (BRC4 pattern):

title: Brute Ratel C4 Remote Section Mapping Process Injection
id: f9a3b112-8d21-4c7e-b6f3-a2e94c07b891
status: experimental
description: Detects cross-process handle access patterns consistent with NtCreateSection/NtMapViewOfSection injection used by BRC4 Badger.
references:
  - https://www.vectra.ai/blog/how-attackers-use-brute-ratel-brc4
author: SOC Analyst Hub
date: 2026-06-28
tags:
  - attack.defense_evasion
  - attack.t1055.002
logsource:
  product: windows
  category: process_access
detection:
  selection:
    TargetImage|endswith:
      - '\svchost.exe'
      - '\explorer.exe'
      - '\dllhost.exe'
      - '\notepad.exe'
    GrantedAccess|contains: '0x1fffff'
  filter_legitimate:
    SourceImage|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
  condition: selection and not filter_legitimate
falsepositives:
  - EDR and security tooling with deep inspection (tune SourceImage as needed)
level: high

Network Beaconing Signatures

BRC4’s HTTP/HTTPS C2 profiles are configurable, but observed deployments show consistent patterns. The Badger communicates over HTTPS with default and commonly used profile characteristics:

  • Default User-Agent: BrutRatel/C4 (early versions) or randomised desktop browser UAs in later versions
  • URI patterns: /update, /activity, /connect in default configurations
  • Jitter: 30% default, configurable between 0-100%
  • Sleep interval: 5000ms default
  • Response content type: application/octet-stream with encoded body

The most durable network detection anchors on process-to-IP connections from processes that should not initiate outbound HTTP: svchost.exe making outbound connections to non-Microsoft IPs on port 443.

KQL — Microsoft Sentinel / Defender for Endpoint:

// BRC4 Badger: outbound HTTPS from commonly injected process names
// Requires DeviceNetworkEvents
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("svchost.exe", "dllhost.exe", "notepad.exe", "explorer.exe")
| where RemotePort in (443, 80, 8080, 8443)
| where not(RemoteUrl endswith ".microsoft.com")
| where not(RemoteUrl endswith ".windows.com")
| where not(RemoteUrl endswith ".windowsupdate.com")
| summarize
    ConnectionCount = count(),
    DistinctIPs = dcount(RemoteIP),
    DistinctURLs = dcount(RemoteUrl)
  by InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName, bin(TimeGenerated, 15m)
| where ConnectionCount between (3 .. 60)     // periodic beaconing range
| where DistinctIPs <= 3                       // not mass scanning, targeted C2
| order by ConnectionCount desc

NTDLL Unhooking Detection

BRC4 reads a clean copy of ntdll.dll from disk to replace the in-memory hooked version. This creates a detectable file read of ntdll.dll by a non-system process, often at startup before any payload executes.

Sigma rule — ntdll.dll read from user-space process:

title: Potential NTDLL Unhooking via Disk Read
id: 3c7d9a55-e12f-4b88-8f7a-c6e31d4a8b02
status: experimental
description: Detects reading of ntdll.dll from disk by unexpected user-space processes, consistent with EDR hook removal used by BRC4 and other evasive implants.
author: SOC Analyst Hub
date: 2026-06-28
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  product: windows
  category: image_load
detection:
  selection:
    ImageLoaded|endswith: '\ntdll.dll'
  filter_system:
    Image|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
      - 'C:\Program Files\'
      - 'C:\Program Files (x86)\'
  filter_signed:
    Signed: 'true'
  condition: selection and not filter_system and not filter_signed
falsepositives:
  - Security software and system utilities (tune by process path)
level: medium

MITRE ATT&CK Coverage

TechniqueIDBRC4 Implementation
Process Injection: PE InjectionT1055.002NtCreateSection/NtMapViewOfSection
Application Layer Protocol: HTTPT1071.001Configurable HTTP/HTTPS C2 profiles
Impair Defenses: Disable or Modify ToolsT1562.001NTDLL unhooking, EDR hook removal
Inter-Process Communication: Named PipesT1559.001SMB lateral movement via named pipe
MasqueradingT1036Process injection into legitimate host processes
Lateral Tool TransferT1570SMB pipe-based staging between systems

Hunting Starting Points

  1. Search for pipe creation events matching \msse-\d{4}-server pattern in Sysmon EID 17
  2. Correlate DeviceImageLoadEvents for ntdll.dll loads from unsigned processes outside system directories
  3. Hunt DeviceNetworkEvents for svchost/dllhost/notepad making periodic HTTPS connections to non-Microsoft infrastructure
  4. Query DeviceProcessEvents for cmd.exe or powershell.exe spawned from injected host process PIDs
  5. Look for NTDLL being mapped from disk (file read of C:\Windows\System32\ntdll.dll) by user-space executables at startup

The Splunk SIEM content team published an updated BRC4 analytics story in May 2026 with additional detection logic. SOC Prime’s Uncoder platform includes community-contributed Sigma rules converted to Sentinel KQL and Splunk SPL format.

References