Operator 1.2 Release

What's new in 1.2

On 23 Sept 2021 we released Operator 1.2 which introduced a substantial number of changes to both the application and the back-end infrastructure supporting the application. Let’s go over some of the main highlights from the release and dive into what those changes mean going forwards.

Logging in

When you first open Operator 1.2, you’ll immediately notice there is no login page!

We immediately drop you into the application with an “ephemeral account” which:

a) Gets you to work faster.

b) Enables simpler automation when hitting the Operator API.

c) Lets you trial Operator without having provide an email.

Registration has been moved to the Account tab, which opens a side modal for registering:

Once you register, the Account icon will indicate your logged in and give you an option to upgrade:

Operating

We’ve consolidated the Operate tab into a single pane; before you had separate panes for interacting with agents and adversaries. The general settings and adversary interaction icons have move to the top left and while the agent interaction icons are in the top right:

You’ll also notice that adversaries/chains have been moved to the left below ranges:

If you click on that drop-down, you will see all of the pre-built kill chains:

Selecting a chain and clicking Deploy will run that chain/adversary against all of the agents in that range:

If you click on Edit, you are able to adjust the TTPs in that kill-chain and create new (or update existing) kill-chains:

Agents

Prior to Operator 1.2, agents were accessed using a plugin called Agent Library. With Operator 1.2, we have fully integrate agents into the core application (because it’s core functionality). You can view available agents from the Operate tab using the Agent icon:

That will bring up a list of all available agents (depending upon your license level) and you can download the binaries/scripts directly from there:

Network settings

Network settings have also moved in Operator 1.2. We used to have a discrete Settings tab, but the listener settings have now moved to Operate section under the WiFi icon:

Clicking on the network settings will bring up a sidebar where you can manage the listening ports for your Operator C2 server, grab your application session token (for the API), and, new in 1.2, go fully offline:

Clicking on the “Connected to HQ” button will disconnect you from the Prelude Headquarters server and let you use Operator in an offline environment:

Offline mode is great for using Operator in air-gapped networks or when you want to ensure no telemetry is being sent to Prelude servers. A side effect of this is you will no longer have access to Prelude training materials or content updates.

Documentation

Documentation remains available inside the application via the Docs tab:

We’ve also include an interactive API explorer that you can hit from a browser at http://localhost:8888/docs/ when you have Operator open:

Editor

Editor received a complete overhaul in Operator 1.2. We have moved to a tabbed interface and streamlined the UI to optimize TTP development:

Editor retains the same functionality from old versions, but adds in TTP history to quickly jump between TTPs that you are working on:

You can also add TTPs directly to Adversaries using the sidebar:

Probably the coolest feature we’ve added in Operator 1.2 is payload management via Editor. If you click on the package icon in the right-hand sidebar, you are presented with a payload management interface:

From this interface you can download payloads individual or all at one. You can also upload payloads to Operator:

Possibly the COOLEST feature (at least I think so) that Lewis added to this release is the ability to edit payloads directly in Editor! If you download a payload, then click on the name, you will be able to edit payloads (assuming they are scripts):

This dramatically simplifies TTP payload development.

Closing out

We only went over the major updates to Operator 1.2 in the post; check out the release notes for more thorough details on bugs, minor updates, and other things that we didn’t cover in the post.

As we move forward, we (Prelude) are going to continue simplifying the UI, improving the UX, and enhancing features. Moving forwards we are looking at empowering teams and enterprises directly from Operator (i.e. sharing data between Operator instances). Check out David’s post for the changes to our back-end infrastructure that will be enabling that future capability! Stay tuned for more!