I did my research on that , and for me it's going to be more like what you see on that photoo betwen sliver c2 and cobalt strike , EDR system only trigger on few suspensions actions
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Brute-Ratel [Crack] + Link download
- Автор темы D4nte
- Дата начала
As I told you, any c2 can be detected, it’s all depends how your OPSEC working for hidden your teamserver (cobalt,sliver, etc), see even sliver can be detected.
www.immersivelabs.com
you need have work on OPSEC, watermark your beacon with special signatures.. and work with your crypt.
Detecting and decrypting Sliver C2 – a threat hunter's guide
Originating from the Bishop Fox team, Sliver is an open-source, cross-platform, and extensible C2 framework. It’s written primarily in Go, making it fast, portable, and easy to customize.
www.immersivelabs.com
you need have work on OPSEC, watermark your beacon with special signatures.. and work with your crypt.
Последнее редактирование:
do you think Havoc is good C2 for use ?! to even compar it with this cobalt and BR ?As I told you, any c2 can be detected, it’s all depends how your OPSEC working for hidden your teamserver (cobalt,sliver, etc), see even sliver can be detected.
Detecting and decrypting Sliver C2 – a threat hunter's guide
Originating from the Bishop Fox team, Sliver is an open-source, cross-platform, and extensible C2 framework. It’s written primarily in Go, making it fast, portable, and easy to customize.
you need have work on OPSEC, watermark your beacon with special signatures.. and work with your crypt.
No, havoc, sliver, CS, whatever they are all same, the ja3 signature ( aka JARM ) already registered and newbie of using these c2's will be maximum 1-2 day will shutdown from online scanners first, second from crypt and beacon bypass.
see your c2 domain rep, make sure all the OPSEC setting are applied, use (uncommon evasion technique's).. will make you works smoothly and survide, otherwise technologie's every day they are prooving more security challanges where you need to be ready to bypass it, forta and micsrosoft they are doing good work these days, and it's not easy to bypass them without a knowledge and experiance.
moving in network is to hard this days ) this even if you have access in network , that's people go after stealer to get what they want and move , but to move in network in another level
Or you are just stupid.
i hope xss will make people who want to join pay money so we can't see kids like you here or members who join this month or last month can't comment when their father speaking
This makes things even worse + it's useless also there's already exploit.in but it the registration system (pay2get-in) doesn't prevent skids still
Последнее редактирование:
Yeah , my mistake that I even reply to him
thank you anyway
no problem
hello, the link for download is dead, can you please re-upload? thanks
AV/EDR/XDR vendors focuse in malware in general. Both BRC4 and Cobalt strike have diferent purpose, BRC4 is more focused in bypass EDRs/XDRs without need of custom tooling or modifying the agent (witch is possible too), and, Cobalt strike is more focused in be flexible, with more customizable agent profiles (dll/executable/shellcode strings, network communication, functions witch will be called etc etc).
Also, this is the old version of brute ratel (1.2.2) cracked by Pwn3rzs, still bypassing some vendors but has many IOCs now.
Watermarked beacons is removed by crackers (Pwn3rzs does it), and, i'ill answer our question:
- Option to choose what chain of functions will be used to allocate memory in remote processes (it's very useful when a EDR/XDR vendor detects witch memory region called a function)
- Option to choose how you will steal a process/thread token (Very useful like a said above)
- Many ways to execute a shellcode (Like phantom-thread, it's very useful)
- Many ways to run a executable
- Mutex
- Set stage limit (Prevent whiteshits to request the rest of shellcode)
- Built-in way to dump ldap (Sentinel ldap is very hot)
And more...
This all are implemented in BRC4 it self, without need of running BOFs.
I think you need to have a look on 4.8 features rather than promote brc4) you cannot compare it with cobaltstrike, there is huge supporters for CS and rarly supporters for brc4; crakced watermark is not something good, if you modify it your self then that's fine, if your using cracked or public one, one week maximum will be uploaded to VT and your copy will be detected easily.
There is huge update on evasion techniques, also you can see to completely modify / mask your beacon... and most important your OPSEC for crypt and c2 setup.
Well... Indirect syscalls and direct syscall are very detectable nowdays (On modern EDRs/XDRs those are detected) and sorta useless, the only thing that cobalt strike 4.8 implemented that is really good is guardrails (btw, brute ratel already has that). And also, i'm not promoting BRC4.
I don't think that you need supporters, learning how to use brc4 is very easy. Opsec is by ur own, like in cobalt strike.
Crypting is dead... Yara, snort and sigma rules (in memory)will detect it (and some other public tooling like pe-sieve and moneta), there is nothing todo about this (or simply u can use a custom c2, or some c2 focused in evasion like bruteratel)
So , what DarkToken siad is Real , that are diffrent btw C2 and how EDR Focus on them
Need the latest version of BRC4, but no one wants to share.
becarful using something like that , use VM