Windows.Detection.BruteRatel :: Velociraptor

Windows.Detection.BruteRatel

This hunt runts the Immersive Labs yara rule (https://github.com/Immersive-Labs-Sec/BruteRatel-DetectionTools/blob/main/BruteRatel.yar ) across select files to identify the known Brute Ratel config strings.


name: Windows.Detection.BruteRatel
author: Luke Fardell
description: |
  This hunt runts the Immersive Labs yara rule (https://github.com/Immersive-Labs-Sec/BruteRatel-DetectionTools/blob/main/BruteRatel.yar) across select files to identify the known Brute Ratel config strings. 


type: CLIENT
parameters:
  - name: PathGlob
    description: Only file names that match this glob will be scanned.
    default: C:/**/*.{exe,dll,bin,0xH,Svc,PS1}
  - name: UploadHits
    type: bool
  - name: YaraRule
    type: yara
    description: Yara Rule from https://github.com/Immersive-Labs-Sec/BruteRatel-DetectionTools/blob/main/BruteRatel.yar
    default: |
        rule BruteRatelConfig {
        strings:
        $config_block = { 50 48 b8 [8] 50 68}
        $split_marker = { 50 48 b8 [8] 50 48 b8 }

        condition:
        filesize < 400KB and $config_block and #split_marker > 30
        }

sources:
  - query: |
      -- check which Yara to use
      LET yara = SELECT * FROM if(condition=YaraUrl,
            then= { SELECT Content FROM http_client( url=YaraUrl, method='GET') },
            else= { SELECT YaraRule as Content FROM scope() })

      -- first find all matching glob
      LET files = SELECT FullPath, Name, Size, Mtime, Atime, Ctime, Btime
        FROM glob(globs=PathGlob,nosymlink='True')
        WHERE
          NOT IsDir AND NOT IsLink
          AND if(condition=SizeMin,
            then= SizeMin < Size,
            else= True)
          AND if(condition=SizeMax,
            then=SizeMax > Size,
            else= True)
          AND
             ( time_test(stamp=Mtime)
            OR time_test(stamp=Atime)
            OR time_test(stamp=Ctime)
            OR time_test(stamp=Btime))

      -- scan files and only report a single hit.
      LET hits = SELECT * FROM foreach(row=files,
            query={
                SELECT
                    FileName as FullPath,
                    File.Size AS Size,
                    Mtime, Atime, Ctime, Btime,
                    Rule, Tags, Meta,
                    str(str=String.Data) AS HitContext,
                    String.Offset AS HitOffset
                FROM yara(rules=yara.Content[0],files=FullPath)
                LIMIT 1
            })

      -- upload files that have hit
      LET upload_hits=SELECT *,
            upload(file=FullPath) AS Upload
        FROM hits

      -- return rows
      SELECT * FROM if(condition=UploadHits,
        then=upload_hits,
        else=hits)