Name:Windows Remote Access Software BRC4 Loaded Dll id:73cf5dcb-cf36-4167-8bbe-384fe5384d05 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system. Data_source:
-Sysmon EventID 7
search:`sysmon` EventCode=7 |bin _time span=30s | eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", 1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll", 1, 1=1, 0) | eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded, "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), 1, 1=1, 0) | stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount by Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll dest EventCode Signed | where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_brc4_loaded_dll_filter`
