If you read our last post, you are no doubt ready to get rolling. You learned that Operator is an autonomous red team tool which allows you to launch adversary profiles against target networks with a single button click.
But before you can do all of that fun stuff, you'll need to install the platform.
In a browser, navigate to https://prelude.org. This is the official website for the project, where you’ll find supporting details, information about the project and in our case, the latest stable release of the application itself. Stable versions are released anywhere from weekly to every 6-weeks.
Locate the download section and proceed with the operating system of your choice.
With the application downloaded, simply double-click it and install like you would any other app.
Depending on your operating system, you may see a warning or override confirmation box, telling you this is a third-party application. Click to confirm the installation and follow the normal prompts to complete the installation.
Building multi-platform ElectronJS applications requires you to manage (or not manage!) code signing for the app.
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.
As a command-and-control center (C2), Operator is designed to do things that a normal application would not, including managing “malware” and viruses and conducting cyber attacks. Because of this, the development team has added Apple and Windows signed certificates but has not applied for access to the various app stores. This is why you will see a confirmation prompt when starting Operator for the first time on these platforms.
Once you've installed the app, you can start it right away. The very first time you do, a few things will happen:
A desktop window will open up, displaying a login page.
Behind the scenes, the application will create an installation directory to store configuration files. This location can change depending on your operating system. We refer to this as your “workspace”.
If you’re like us, you’ll be curious about what goes into the installation directory. While you can browse to the location on your computer and view the various files, mostly pertaining to your agents, results and TTPs, we caution against making any modifications to this directory, as it can create issues inside Operator.
Register as a new user
Operator uses password-less login to make securing your account safe and easy. Enter an email address on the login page and a code will be sent to the address, which you can enter at the next prompt. This process enables you to casually create an account tied to an email address, instead of being forced to remember yet another password.
This is your first interaction with GateKeeper, which handles your registration. GateKeeper is a server-side API the Prelude development team manages, which handles authentication, authorization and remote storage options (such as cloud backups and training materials). For now, think of GateKeeper as the login service.
Once logged into Operator, you will be welcomed with a dashboard, which shows you summary information about what is loaded into your application.
A few important things to note about your dashboard:
You will see your current version of the desktop app, along with if it is the latest version or not. If you are out of date, you can just reinstall the app by clicking the "updates available" button.
The licenses you have. By default, you will have a “Community” license, which means that you are using the free, open-source tool. If you upgrade your license, you will see this reflected accordingly.
Your “workspace” statistics will show you how many adversaries, agents and TTPs are loaded into your platform. Your adversaries will be zero and agents will be one (your local ThirdEye agent, named after your computer), by default. You should have some TTPs however, which were automatically pulled in from the Community repository.
Remaining training tasks will be highlighted and let you see how far behind you are. Note these numbers show your progress stacked up against the total number of training modules in the platform (including paid). Operator includes a free Introduction training program which teaches you how to get the most out of the application. As the team adds new features, new training modules will become available to show you how to use them.
The Community repository
Community is a free, open-source repository of Tactics, Techniques and Procedures (TTPs) in the form of files. In other words, Community is a directory containing prepackaged offensive attacks.
Community is hosted and maintained by Prelude.
Inside the repo, you will find directories for each ATT&CK tactic, inside of which you will find .yml files containing a singular procedure, which represents an attack.
We will go into much more detail in a future post about these TTP files. For now, you can browse them but don’t get caught up in the details yet.
Why are we showing you Community right now?
Every time you open the Operator platform it loads any new TTP files from this repository, ensuring you get new attacks without having to load them yourself. It does this through GateKeeper, which tracks Community changes and acts as a proxy, safely loading the changes automatically.
TTPs power adversaries, which in turn power your security assessments. So getting familiar with the concepts now will help out when you're designing your own attacks.
Now that you've installed Operator, registered and logged in, you're ready to go. From here you can deploy agents, build adversaries and launch security assessments.