Operator version 1.5
Marking a major cutover from earlier iterations of the platform
Operator was designed to solve problems in advanced security. We were never fully satisfied with our process as red and purple teamers using the tools at our disposal. So we built Operator to thrive in this transitory time between manual and automated security testing.
Our original beta launched in November 2020 and 1.0.0 followed a few months. Every 6 weeks we released a new version of the platform, following our PSI release cycles.
Fast-forward to January 6, 2022, when version 1.4 came out. Initially, we were happy with the release, as it included major stepping stones like a chains sidebar and ordered adversaries. But as time went on we wanted to do more. A lot more. So re-evaluating our core mission of solving problems in today’s advanced security world, we knew the next version of the platform had to go back to basics.
At this point, we had squeezed all the core features we wanted into the app but hadn’t spent enough cycles iterating on the user experience.
In other words, we hadn’t focused on empathy.
Version 1.5 of the Operator platform has (hopefully) changed that. Combing through the application over and over again, we refocused against our core operational use case. And as a result, we redefined how the app looks and works.
While Operator can be used by many in red, blue and purple roles, we wanted our core use case to shine through: power automated purple team environments.
Operator 1.5 contains a new UI, new UX and new features. However, it maintains a familiar architecture, where the platform, attacks (TTPs/chains) and agents are all modular components that work together.
Follow me on this tour of what to expect in Operator 1.5!
Table of contents:
Out of the gate: things you’ll notice right away.
Navigation bar: changes on the far left bar.
Agent sidebar: what’s new related to agents and range management.
Connect section: moving from a plugin to a built-in section.
Train section: see which programs have survived the version upgrade.
Docs section: new, searchable documentation pages.
Settings section: hint, you’ll find plugins in here now.
Out of the gate
The first thing you’ll notice after upgrading from 1.4 is that the home page looks very different. There are new colors, images, terminology… here are the basics:
Prelude hired a dedicated designer (hi Robert!). Robert spent several cycles improving our color palette and adding consistency in where and how we applied fonts and icons. He even add illustrations, as you’ll note in the new carousel that appears whenever an agent has no results (see above).
Operator 1.5 uses a new workspace, which means you’ll likely think your data has been deleted. Operator creates a new directory on your computer for each environment it is configured against. Up until now, that’s only been login.prelude.org. In 1.5, we replaced this with portal.prelude.org, so if you check your Operator install directory, you’ll see both your 1.4 and 1.5 workspaces.
Where did the Editor and Operate sections go? Editor was rebuilt in a more streamlined way. If you click on “Launch Chain” under any agent, you can enter the new way of managing TTPs and chains. But more on that later. The Operate section is gone completely because before now, Operator was a multi-page application, requiring clicking into and out of sections. Now, Operator is a single page app, where overlays will pop on/off your screen. Why’d we do this? It allows us to optimize both your number of clicks to accomplish tasks and our ability to save your state between views.
How do you transfer your 1.4 data to 1.5? Stay tuned: we’ll update our issue board with instructions this week.
Now that we’ve been acclimated, let’s go through each section of the app, left to right.
The left navigation bar may look similar to previous versions of Operator but it’s more streamlined than ever. Now, you’ll see only the Connect icon at the top, with Training, Documentation and Settings at the bottom.
Connect used to be a plugin but was converted to a built-in section. Boring? Maybe. But it means it will load faster when you use it!
Clicking on any icon will pop open a modal window, which lays on top of your “home” screen. This means you can now open multiple views at once and state management is built in by default.
Previously, the agent sidebar had a drop down at the top to select a range.
In 1.5, Operator no longer supports ranges and instead allows you to connect up to 5 agents simultaneously (or 50 if you have a license) to each Operator instance (including redirector instances). This means if you want to create logical groupings of agents just point them at different redirectors.
The old drop down has been replaced with a text search, to filter your displayed agents.
Each agent in your list has the following options:
Launch chain: select a TTP or chain and deploy against target agents.
My profile: view and update an agent’s properties.
View queue: act on any TTPs stuck in the to-do pile for an agent.
Reverse shell: pop open a real interactive shell.
Delete agent: permanently remove all traces of an agent.
The options for each agent will either be enabled or disabled, based on the state of the agent. We are aware in 1.5 that the reverse shell will not work if the agent is connected via redirector. We will work to resolve this in a future release.
This is the new “Editor” section. When you open this modal window you’ll see information on the latest TTP Tuesday chain (available with a professional license) and a list of any chains you scheduled to run at a later time.
By default, you won’t see scheduled chains like the screen shot above. You’ll need to actually schedule a chain first!
At the top, you’ll see a search bar. Use this to search for any TTP or chain, such as File Hunter:
We are aware it would be useful to search/filter by tactic or technique. Right now, the search only works against TTP and chain names and summaries. But follow our open ticket about extending the search capability!
Inside this view, you can create chains, re-order chains (lock/unlock), deploy chains or open the advanced deployment tab to schedule a chain for later (the gear icon).
Additionally, by clicking on any TTP in your chain you can open a YML editor to adjust the commands by hand:
If you adjust any built-in TTP, it will be forked automatically so you always modify a replica, not the original.
Clicking into My Profile for any agent will display its configuration details (like label or sleep/jitter). Additionally, this is where you’ll find its facts.
Recall in 1.4, an agent’s facts were in a separate sidebar.
Agent facts are scoped to either agent (self) or global. Only mutable facts are enabled and can be changed. For example, Operator has a concept of “automatic facts” which are system level and always start with agent or operator. You can’t change these. Similarly, if a global fact was created by a different agent, only that agent can modify it.
One last option in this sidebar is mode. Up until now, Operator supported two modes: regular (unlocked) and human-in-the-loop (locked). In 1.5, we added simulation mode. Simulation mode allows you to run a TTP or chain and see an expected/normal output without actually running it.
Simulation mode is helpful when you want to experience a complex chain but aren’t confident it’ll run end-to-end in your environment.
At the bottom of the agent sidebar, you’ll see a new button: “Add Agents”. This opens a new modal which provides a list of Operator instances (and redirectors) and types of agents accessible to your license. Making selections will output a command, which you can then copy and paste into any computer’s terminal to download and start an agent remotely - thus performing initial access!
As a community member, you’ll only see Pneuma, our flagship open-source agent, in your list. Upgrade to a professional license to see our other agents.
Each Operator instance can have up to 5 agents connected simultaneously. Or if you have a professional license, you can have up to 50. Want to do more? Use redirectors.
Connect went through the most changes, comparably, then any other part of Operator. As we aimed to refocus on automated purple team infrastructure, Connect became the hub that makes it seamlessly.
Clicking into Connect, you get one option: deploy a manual redirector. Follow the provided instructions to download a headless instance of Operator and connect your desktop app to it.
When you connect to a redirector in 1.5 you “transport” into it. All your local listening posts (which accept agent beacons) turn off and all your local data and agents disappear. Everything you do and see inside Operator is now from the lens of your redirector. Create a TTP? It creates it in redirector. Schedule a chain? It’ll only schedule against your redirector - which means you can disconnect and it’ll run while you’re offline!
Beyond manual redirectors, the Connect section offers robust options for enterprises looking to automate their purple team infrastructure:
Attach a cloud account: Link either an AWS or GCP account to your Operator desktop instance. Additional cloud providers are coming in the future.
Provision a cloud redirector: Instead of manually setting up a server to run headless Operator, you can create new fully-functional redirectors in your own cloud environment at the click of a button.
Provision a cloud VM: Create newly compromised servers - either Linux or Windows - in your own cloud environment. These servers will have an agent dropped on them, which will connect to the redirector of your choice. Use these cloud VMs to test your TTPs and chains.
Yes, these options used to be freely available in the Community version of Operator. But in 1.5, we are pivoting to clarify the line between free and paid versions of the app. We are segmenting any infrastructure building and managing - especially cloud based - into the enterprise license.
Enterprise accounts can also leverage their redirectors as team servers. When multiple people connect to the same redirector, all TTPs, chains, schedules, agents, etc. are shared across everyone in real time. This enables quick collaboration at both the building and operational stages of purple teaming.
Alongside the team server is an encrypted, self-hosted chat channel. This is a basic chat that allows you to communicate with your team on your own infrastructure.
Training has largely stayed the same, however we dropped two programs: ATT&CK Procedures and CTF. The former went through a transition into documentation (see next section).
All flags in the Introduction program (which teaches you how to use Operator) have been updated to be current with the 1.5 updates.
The documentation section has had some serious upgrades. Instead of hard-coded sections, available per version, we’re now loading the content dynamically from our Community Repository.
You can use the search bar to locate any relevant page, like “API” in the search above.
As alluded to before, the ATT&CK Procedures training program is now available in documentation in the form of man(ual) pages. 100+ TTPs have dedicated documentation pages which highlight variations, how to prevent or detect them and even a “hacker’s perspective” on their use case.
At its surface, the Settings section looks unchanged. It’s still the area to log into Operator. It’s still the stop to adjust your listening post ports and IP address.
But there are two new core features:
You can set a permanent token. Before, your API token would rotate on app reboot (annoying). You can now set it explicitly.
Plugins live here now. Instead of a separate plugins section, you can install and uninstall plugins by clicking on them. Plugins no longer require additional configuration.
Our list of plugins has shrunk. You’ll now see Sliver (agent integration), HTTPS (an additional listening post) and ART (atomic red team TTPs). What about publishers? Because publishers are infrastructure, in 1.5 they have been ported into Outpost, so you’ll need an enterprise account to use them.
We hope you enjoy the refocus on our core use case: powering automated purple team environments. This was a big effort and as such, came with big changes. We hope you’re patient with us as we engage with each of you in the coming weeks and months.
Our goal is to provide simple solutions that provide real security, so if you notice anything you’d like adjusted - just open a ticket on our board. We carefully consider each request and will do our best to accommodate your mission: helping create a safer world.