Discover more from f33d by Prelude
Operator 1.3 Release
Reconnect with the fundamentals
Okay, let’s dive into the major new features!
Our goal was facilitating team-based red and purple team operations. To this end, we made major changes to how Operator itself works and how it interfaces with redirectors. We additionally added Enterprise license features including the ability to stand up your own Outpost Server that can store your TTPs, plugins, agent data, training results, and more.
When you first log in, you’ll see a brand new sidebar icon: Connect.
Connect is a complete replacement for the old Switchboard and Cloud plugins; professional license holders will note that the old Switchboard icon is gone from the top left navigation bar. This is what is called a “native plugin” meaning it will automatically install and mount on the sidebar. Jumping into Connect you will see this:
From here you can provision redirectors, pre-compromised systems - and for Enterprise license holders - link with teammates.
Creating a new redirector is easy! First, building a new profile (we automatically pull your local AWS profiles), specifying a key and region, and selecting save:
Then decide what you want to provision on the server and select “Provision”:
But something sneaky is hidden in plain sight there… Headless Operator API / Team Server.
Put simply, we have refactored and packaged Operator into a version that runs as a NodeJS package (instead of full Electron application). Operator can be deployed on a Linux server as a service and used entirely over API. We actually leverage this feature to create the Team experience through Connect.
You can download the packaged Linux server version directly from our Prelude website. Professional license holders will still be able to deploy the traditional Switchboard binary to use the old redirector experience.
We explicitly added support for Enterprises in this release.
Headless mode and connect enable you to connect to a teammate’s redirector:
From there, you are able to share beacons and data via gRPC with the redirector. This means that all of your data is readily accessible to your teammates also connected to that redirector.
Enterprise users will be able to share and export their results from our Web Portal:
Additionally, you are able to add your own Outpost Server to store all your proprietary enterprise data:
As with the Operator 1.2 post, this is only touching on the major new features we have added. The Operator 1.3 release notes have numerous feature enhancements, bug fixes, and additions to check out. Here are just a few of the highlights:
The agent/fact sidebar - and http://localhost:3391/facts endpoint - has been updated to allow scoping of facts used in TTPs. By default, facts are scoped to the agent itself but you can swap this so an agent's fact is scoped to the entire range it belongs to.
There is a new "activity stream" which will display all your system events while running Operator. You can toggle this stream in a sidebar from anywhere in the application by using the keyboard shortcut CTL+L.
When using the search bar in the operate section, we're now searching the full TTP and response, not just the response.
With Operator 1.3 released, the team is eagerly developing and pushing out more new and exciting stuff in Operator 1.4 :)!
Do you have features that you want in the next Operator release? Let us know by connecting with us on Discord.