Badrats: Initial Access Made Easy

Presented at DEF CON 30 (2022), Aug. 12, 2022, 2 p.m. (115 minutes)

Remote Access Trojans (RATs) are one of the defining tradecraft for identifying an Advanced Persistent Threat. The reason being is that APTs typically leverage custom toolkits for gaining initial access, so they do not risk burning full-featured implants. Badrats takes characteristics from APT Tactics, Techniques, and Procedures (TTPs) and implements them into a custom Command and Control (C2) tool with a focus on initial access and implant flexibility. The key goal is to emulate that modern threat actors avoid loading fully-featured implants unless required, instead opting to use a smaller staged implant. Badrats implants are written in various languages, each with a similar yet limited feature set. The implants are designed to be small for antivirus evasion and provides multiple methods of loading additional tools, such as shellcode, .NET assemblies, PowerShell, and shell commands on a compromised host. One of the most advanced TTPs that Badrats supports is peer-to-peer communications over SMB to allow implants to communicate through other compromised hosts.

Audience: Offense

Presenters:

• Dominic “Cryillic” Cunningham
  Dominic “Cryillic” Cunningham is a Red Team Content Engineer for TryHackMe, a large cybersecurity education platform. He is currently pursuing a degree in computing security with a focus in digital forensics and malware. His work includes general adversary emulation, offensive operations, and evasion. He specializes in researching and documentation of Evasion Techniques, Windows Internals, and Active Directory. Most of his work and research has been published at https://www.tryhackme.com, where he has also developed and released numerous CTF boxes and enterprise-level ranges.
• Kevin Clark
  Kevin Clark is a Software Developer at Def-Logix focused on development of offensive security tools. His previous work includes Penetration Testing and Red Team Operator, focusing on initial access and active directory exploitation. Kevin contributes to open-source tools such as PowerShell Empire and publishes custom security toolkits such as Badrats and WindowsBinaryReplacements. Kevin authors a cybersecurity blog at https://henpeebin.com/kevin/blog.

Similar Presentations:

• ShmooCon 2023 / From the Keyboards, Through the Walls, Got Implant Shells for Y’all
• DEF CON 30 (2022) / Injectyll-HIDe: Pushing the Future of Hardware Implants to the Next Level Demo
• ShellCon 2019 / SiestaTime, Automation tool for Generation of Implants, Infrastructure and Reports