Running Desktop Operator
How to use a command-and-control center for security testing
Operator is a desktop application that can be used to test the security of a computer or network.
It can be used in red team operations, automated purple team assessments, penetration testing, or to aide blue team detection training. There are many ways you can leverage Operator to validate your security.
This guide will walk through getting bootstrapped on Operator.
Download Operator from Prelude’s website. Run it from any MacOS, Linux or Windows machine.
Familiarize yourself with the interface. You should be greeted with a screen like this after step 1:
The navigation bar allows you to open a few sections:
Connect. This is an advanced red team infrastructure management tool. It won’t be covered in this guide.
Train: You’ll find free educational programs here, which will teach you how to use Operator and hopefully a bit about offensive security in general.
Docs: Searchable documentation is here. Use this.
Settings: All your account and general application settings can be found here.
Moving right, you can see a column listing all agents connected to this application. By default, Operator includes an embedded agent named after your hostname. This agent is great to run demo attacks against and test scenarios before using them in a wider context.
You can connect additional remote agents, such as our flagship open-source Pneuma agent, written in Go.
Each agent has a few options:
Launch chain: pick and deploy attack chains.
My profile: all agent information.
View queue: any instructions you’ve sent to the agent which haven’t been picked up yet.
Reverse shell: open an interactive shell to the machine running the agent. This is not available on all agents.
Delete agent: remove the agent entirely. If you do this with the embedded/default agent, it’ll regenerate.
Moving further right, you’ll be in the main canvas. This area will fill up with results as you launch chains against the agent.
Launch a chain. Selecting that option for the default agent, you’ll get a search bar. You can use this to search for plain-text TTPs. Go ahead, try things like “password” or “AWS” to see what TTPs are available that include your search text.
There are advanced search filters available starting in version 1.6, which allow you to combine targeted searches such as “name:python tactic:discovery”, which will return all TTPs with python in the name and classified as ATT&CK discovery.
Time to run a chain. I’d suggest you start with File Hunter, which is a simple multi-platform chain that locates files modified in the last 24 hours and copies them to a staging directory. Read about this chain here. Search for “Hunter” to locate this chain.
Selecting it will show this view:
Each TTP in the chain is shown as a row, which you can click to open and view/modify the commands.
On each row you can:
Remove the TTP from the chain
Split out the variants - or different ways to execute the chain - so you can include/exclude commands for various operating systems.
Enable/disable destructive TTPs (if applicable). Destructive TTPs are those that cause a potentially harmful effect on the computer. These won’t run by default and you have to manually enable them here.
Change what you see: view the TTP by name (default), identifier, ATT&CK classification or dependencies (some TTPs have prerequisites).
A few other options here allow you to:
Force the order of chain, so it will run in the exact order you define. Otherwise, Operator will decide the correct order to run it in (default).
Save-as to create a new chain.
Delete the chain. If you do this to a built-in chain (one from Prelude) it’ll regenerate.
Note the gear icon next to the DEPLOY button. This opens up an advanced deployment area where you can make selections around how you want to deploy the chain.
Finally, let’s click the deploy button - this will launch the chain immediately against the agent you’re viewing.
As the chain is executing, you’ll see each result is stored as a row on the canvas. Each row is clickable, where you can get the details, such as the command executed, response and parsed indicators of compromise (IoC).
If you have an Enterprise account, you can additionally - and automatically - publish these results to your SIEM.
And that’s it! Now you can deploy agents throughout your network (connecting them to your Headless app), run chains against them and track results from either Operator or your SIEM.