A drop in the bucket

Learn how you can attach your own private GitHub repos to Operator

Operator 1.2 was released last week with a new major feature: buckets.

An Operator bucket is a file system containing all the resources that load into your C2 at runtime. These resources are:

  • TTPs: the micro-attack files which load into your Editor section and act as your “attack database."

  • Plugins: the modular HTML extensions that extend the core functionality of the app.

  • Training: the capture the flag style modules which you see in the Train section.

  • Payloads: the individual binaries which TTPs can (optionally) attach to create more powerful attacks. These include agent/RAT binaries.

You can think of Operator as an empty shell, which when booted up, will load all the resources to give you a powerful command-and-control center.

Internally, we’ve used the concept of buckets since our first beta version (0.9.2). We leveraged AWS S3 for the storage and kept it an internal feature. In 1.2, we pulled the resources out of S3 and posted them in our Community repository. Heading there, you’ll see everything loading into Operator by default.

Professional licenses

Professional license holders gain access to a second, closed-source bucket which contains all the material we reserve for subscribers. This bucket includes:

  • Our weekly TTP releases, which sync automatically with your Operator every Tuesday.

  • The Switchboard plugin, for working within a team and sharing redirectors/agent beacons.

  • PneumaEX agent, a more powerful version of the open-source Pneuma agent.

  • An ATT&CK training program, which takes you through 100+ procedures inside Operator and teaches you their ins-and-outs.

  • The Publisher planner, which integrates with Elastic, Splunk, Slack, VECTR, Discord and other security tools.

  • The Planner plugin, which lets you override the internal “brain” Operator uses to make operational decisions.

  • The Reporting plugin, which generates after-action red team reports.

Enterprise licenses

Those with Enterprise licenses gain access to the enterprise bucket, which includes the popular SIEM plugin: a Splunk detection tool. As you deploy adversaries, we will pull in your saved searches and determine - in real time - whether you are detecting the behaviors or not.

Enterprise license holders also receive a private API, called Outpost, which lets them serve their own private bucket.

Outpost is a Python server, with minimal dependencies, that allows an organization to share private resources amongst their team.

It works like this (literally as easy as 1, 2, 3):

  1. Set up a private GitHub repository for your team, mimicking the structure of the Community repository. No GitHub? You can use any source control, file share or plain-old directory as well.

  2. You’ll then receive the Outpost source code, which can be deployed on any internal server with access to your repo.

  3. Head to your Headquarters dashboard and enter the location and authentication details of your Outpost server.

From then on, every member of your organization will sync with the new bucket and continuously update as resources are added - no action necessary.

In Operator 1.3, which will be released in November, Outpost servers will be backed by an optional database. This will enable storing/syncing the results generated by each Operator instance in your organization.


As you’re using Operator 1.2+, and getting familiar with the buckets at your disposal, get in touch and let us know how it’s going. We’re always happy to give a behind-the-scenes tour and help make your next security assessment a success.