Discover more from f33d by Prelude
Use this tool to scale your automated security inside your organization
Many of the features in this post are only available at the enterprise license level. Connect can be used as a free/community member, to manually connect to redirectors, but all automated infrastructure is in the enterprise tier. We drew this line because we believe it best supports both the individual and enterprise cases.
Operator is a command-and-control (C2) application at its core. Its default state is to be an individual tool, walled off from others to protect your privacy and security of data. Use it to run automated security assessments and determine if you’re capable of detecting common attack vectors.
However, Operator can quickly convert into a node in your organization’s security architecture. It does this through a tool called Connect.
Connect allows you to link your application to teammates so you can share TTPs and attack chains, communicate over an encrypted chat channel and mirror the activity of all agents in your network.
This post will act as a guide to using this tool.
A prerequisite to this guide is you have Operator up and running and are familiar with the basics outlined here.
Click into the Connect section and into the Attach Cloud Account panel.
From here, you should add your AWS authentication details. This will allow you to provision purple team infrastructure in your cloud account.
Operator saves your account info in your settings.yml file, which is stored in your local Prelude workspace directory.
Once added, you can move on.
Provision a redirector. Redirectors are headless versions of Operator running on remote Linux servers. They do a few things for you:
Provide a 24/7 instance of Operator that you can connect/disconnect to whenever you want.
Accept beacons from agents over the internet.
Obfuscate your physical location because it’s a barrier between agents and your desktop.
Act as a team server that you and your teammates can connect through.
From this section, you can click provision to fire off your request. You’ll see a new row pop up in the top-right called “Moderato”, which is the name of your first redirector. It will be red by default, meaning it is not yet connectable.
Provisioning a redirector like this simply provisions a micro EC2 instance in your cloud account and boots up a Headless version of Operator on it, using the same account you are logged into Operator as.
Wait 2-3 minutes for the redirector to come online, which will be evident when the red indicator turns to grey.
Connect to your redirector.
Once it is available, click on it and open up the “redirector panel” where you can see all agents connected to it. From here, you can connect/disconnect from the remote machine. Go ahead and connect.
Once you connect, a few things happen:
A purple overlay shows up, indicating you are connected.
Your agent list is replaced with the agents beaconing to the redirector.
Your entire application shifts context. Everything you do now is against the redirector, not your local application. Create a TTP? It’ll save to your redirector. Schedule an operation? That’ll happen on your redirector too.
Inside the Provision Cloud Resources panel, you’ll note a second option: provision a VM. This will provision a virtual machine in your cloud account that is “pre-compromised” with a Pneuma agent connected to your redirector. Think of this as a single host test range.
Add some teammates. From the Connect section, click into Mange Your Team and invite people by email. They will get invites, which when they accept, will give them access to your redirectors.
Once a teammate accepts, send them your redirector host and token, which they can use in the Deploy Manual Redirectors panel of Connect in order to access it.
You can find your redirector token by going to your Settings section after connecting to it. The host can either be its IP or FQDN.
Once your teammates connect, anything they do on the redirector (like tasking an agent) will show up immediately on your screen as well. This is now a team server. You can even open up the encrypted chat channel that is available on your redirector panel to communicate with them.
Finally, let’s make sure everything that occurs in your Operator instance (or redirectors) is sent to your SIEM, so you can gauge your detection capabilities.
Work with your Prelude point of contact to get access to Outpost: a server you can run anywhere that stores your cache of custom TTPs, chains (and more), and is connected to the SIEM (or EDR dashboard) of your choice.
Inside the Configure Your Outposts panel of Connect you can enter the host/token to your Outpost. You will see which publishers (SIEMs or EDRs) it is connected to, and what resources (TTPs, chains, etc.) are contained within it.
Adding an Outpost to your account makes it available to all your teammates, so they’ll see this screen too if they head to this page. Not only can they see the same thing on the screen, the Outpost is now active for them. This means:
Every operation they run inside Operator, whether over a redirector or not, will publish to the SIEMs/EDRs active on the Outpost.
Any TTP, chain, training program, plugin or documentation page added to the Outpost will sync to their Operator instance automatically.
And that’s it! Now you can deploy agents throughout your network (connecting them to your redirector app), run chains against them and track results from either Operator or your SIEM.