Detection rules › Splunk
Windows Remote Access Software BRC4 Loaded Dll
The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping |
| Command & Control | T1219 Remote Access Tools |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 7 | Image loaded |
Rule body splunk
name: Windows Remote Access Software BRC4 Loaded Dll
id: 73cf5dcb-cf36-4167-8bbe-384fe5384d05
version: 10
creation_date: '2022-08-30'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic identifies the loading of four specific Windows DLLs (credui.dll, dbghelp.dll, samcli.dll, winhttp.dll) by a non-standard process. This detection leverages Sysmon EventCode 7 to monitor DLL load events and flags when all four DLLs are loaded within a short time frame. This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could lead to unauthorized access, credential theft, and further compromise of the affected system.
data_source:
- Sysmon EventID 7
search: |-
`sysmon` EventCode=7
| bin _time span=30s
| eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", 1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll", 1, 1=1, 0)
| eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded, "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), 1, 1=1, 0)
| stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount values(loaded_file) as loaded_file values(loaded_file_path) as loaded_file_path values(original_file_name) as original_file_name values(process_exec) as process_exec values(process_guid) as process_guid values(process_hash) as process_hash values(process_id) as process_id values(process_name) as process_name values(process_path) as process_path values(service_dll_signature_exists) as service_dll_signature_exists values(service_dll_signature_verified) as service_dll_signature_verified values(signature) as signature values(signature_id) as signature_id values(user_id) as user_id values(vendor_product) as vendor_product
BY Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll
dest Signed
| where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_access_software_brc4_loaded_dll_filter`
how_to_implement: The latest Sysmon TA 3.0 https://splunkbase.splunk.com/app/5709 will add the ImageLoaded name to the process_name field, allowing this query to work. Use as an example and implement for other products.
known_false_positives: This module can be loaded by a third party application. Filter is needed.
references:
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
- https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
- https://strontic.github.io/xcyclopedia/library/logoncli.dll-138871DBE68D0696D3D7FA91BC2873B1.html
- https://strontic.github.io/xcyclopedia/library/credui.dll-A5BD797BBC2DD55231B9DE99837E5461.html
- https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager
- https://strontic.github.io/xcyclopedia/library/samcli.dll-522D6D616EF142CDE965BD3A450A9E4C.html
- https://strontic.github.io/xcyclopedia/library/dbghelp.dll-15A55EAB307EF8C190FE6135C0A86F7C.html
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: dest
type: system
score: 20
message: a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$.
analytic_story:
- Brute Ratel C4
asset_type: Endpoint
mitre_attack_id:
- T1219
- T1003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
test_type: unit
Stages and Predicates
Stage 1: search
`sysmon` EventCode=7
Stage 2: bucket
| bin _time span=30s
Stage 3: eval
| eval BRC4_AnomalyLoadedDll=case(OriginalFileName=="credui.dll", 1, OriginalFileName=="DBGHELP.DLL", 1, OriginalFileName=="SAMCLI.DLL", 1, OriginalFileName=="winhttp.dll", 1, 1=1, 0)
BRC4_AnomalyLoadedDll =if
1elif
1elif
1elif
1else
0Stage 4: eval
| eval BRC4_LoadedDllPath=case(match(ImageLoaded, "credui.dll"), 1, match(ImageLoaded, "dbghelp.dll"), 1, match(ImageLoaded, "samcli.dll"), 1, match(ImageLoaded, "winhttp.dll"), 1, 1=1, 0)
BRC4_LoadedDllPath =if
match(ImageLoaded, "credui.dll")1elif
match(ImageLoaded, "dbghelp.dll")1elif
match(ImageLoaded, "samcli.dll")1elif
match(ImageLoaded, "winhttp.dll")1else
0Stage 5: stats
| stats count min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as ImageLoaded values(OriginalFileName) as OriginalFileName dc(ImageLoaded) as ImageLoadedCount values(loaded_file) as loaded_file values(loaded_file_path) as loaded_file_path values(original_file_name) as original_file_name values(process_exec) as process_exec values(process_guid) as process_guid values(process_hash) as process_hash values(process_id) as process_id values(process_name) as process_name values(process_path) as process_path values(service_dll_signature_exists) as service_dll_signature_exists values(service_dll_signature_verified) as service_dll_signature_verified values(signature) as signature values(signature_id) as signature_id values(user_id) as user_id values(vendor_product) as vendor_product
BY Image BRC4_LoadedDllPath BRC4_AnomalyLoadedDll
dest Signed
Stage 6: where
| where ImageLoadedCount == 4 AND (BRC4_LoadedDllPath == 1 OR BRC4_AnomalyLoadedDll == 1)
Stage 7: search
| `security_content_ctime(firstTime)`
Stage 8: search
| `security_content_ctime(lastTime)`
Stage 9: search
| `windows_remote_access_software_brc4_loaded_dll_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|