Brute Ratel C4#

InfraGuard parses BRC4’s listener configuration JSON to extract HTTP patterns and headers.

Config#

domains:
  updates.example.com:
    upstream: "${BRC4_UPSTREAM}"
    profile_path: "profiles/brc4-listener.json"
    profile_type: "brute_ratel"

    drop_action:
      type: "redirect"
      target: "https://windowsupdate.microsoft.com"

See config/examples/c2-brute-ratel.yaml.

Profile JSON Format#

The profile at profile_path should be the JSON exported from the BRC4 listener configuration. InfraGuard reads:

  • http.get.uri / http.post.uri — request URI patterns
  • http.headers — required headers map
  • http.useragent — expected User-Agent pattern
pipeline:
  filter_mode: "strict"
  block_score_threshold: 0.6
  enable_profile_filter: true
  enable_sandbox_filter: true
  enable_enumeration_filter: true
  enumeration_unique_path_threshold: 5
Backward Mythic Sliver Forward