What is Prelude Operator
A breakdown of the basic C2 components which make Operator hum
Are you a red, blue or purple teamer looking to assess security for your systems or networks? Are you a one-stop shop for Infosec in your organization? Or are you looking to do security research and need an easy way to replicate adversarial behavior?
Meet Prelude Operator.
Operator is an autonomous adversary simulation platform that makes red teaming more accessible. It allows you to quickly launch adversary profiles into any network you deploy agents on, make intelligent decisions about what to do next and will ultimately output what it was able to accomplish, along with security recommendations for what it found.
Before we get into the nitty-gritty of the technical, let's tour the core components that make up the platform.
Command and Control
The Operator desktop application itself is the command and control (C2) center. This is where you log in to conduct attacks, view existing or past attacks and interact with your deployed RATs.
It works like this:
Deploy agents on target computers
Build adversary profiles and deploy them against agents
Review your results and security recommendations
Remote Access Trojans
Operator comes pre-packaged with two RATs, otherwise known as agents.
The first is built into the desktop application and is called ThirdEye. This NodeJS agent is started and stopped with the desktop application (it’ll be named after your host name) and is a great utility for testing attacks locally without introducing external dependencies. ThirdEye communicates with the desktop app through a local TCP connection.
The second is an open-source agent called Pneuma. This Golang agent is written to be cross-compiled (to work on Windows, Linux and MacOS) and can communicate with the desktop app over TCP, UDP, gRPC or HTTP. Pneuma is also a natural TCP reverse-shell.
While Operator can be used to conduct initial access, its primary usage is as a post-compromise tool, meaning it starts attacking a system from the moment of breach. That said, there are a number of ways to execute initial access. One of the most familiar is phishing. Attach the Pneuma agent to an email and send it to a target, enticing them to double-click the file attachment to start it up, giving you a post-compromise state on their computer.
Operator is centered around the concept of adversaries. Adversary profiles are designed similar to a video game character; a profile is empty (except for a name and description) until you start giving it abilities.
In Operator, giving an adversary abilities means attaching procedures. In the Tactics, Techniques and Procedures (TTP) acronym, procedures are the actual executable attack, categorized under the technique (which is further categorized under the tactic).
For example, consider the credential access tactic. This tactic is the parent classification for any attacks which aim at extracting passwords (credentials) from a computer. Within this tactic, there are a number of techniques, which get more granular at describing exactly how an adversary would do this. Password Guessing is one technique, another is Brute Force, yet another is Keychain. Each of these techniques contains 1000s of possible procedures, or actual commands an attacker may try in order to fulfill the technique (and ultimately, the tactic).
In Operator, there are 50+ open-source TTPs (as of this writing) through the free Community repository. This should serve as a solid base for building your own procedures (and hopefully contributing some back to the project!).
Using TTPs, you can build a threat profile either designed after threat intelligence, or more effectively, structured after a specific threat (like ransomware) that you would want to understand your risk profile against.
When understanding your risk to a security event, it helps to understand the terminology. The most mixed up terms are asset, threat, vulnerability and risk. Here's a concise definition of each.
Assets are either people or property for your company. Assets could be employees. Or they could be your laptops, servers, databases, software or networking equipment.
A threat is anything that has the potential to - either on purpose or accidentally - damage an asset.
A vulnerability is a weakness in your assets which opens them up to the threat. Risk is your actual potential for the damage of an asset. A risk is the result of a threat exploiting a vulnerability.
A + T + V = R. That is, Asset + Threat + Vulnerability = Risk.
Results & Recommendations
Operator contains two levels of actionable results.
The first are the raw results themselves. As agents and C2 combine to launch attacks, the results are stored per agent and are streamed in real time to a dashboard, which you can view full details of the commands executed, the results, the PID, the status code, and more.
The second place to find results is on the reporting dashboard. This dashboard compiles results across all your agents, giving you a machine-generated summary of your operations, filtered by range (of agents) and start/end dates. The dashboard also displays a breakdown of your operation(s) by ATT&CK tactic.
Beyond what happened during a specified time period, Operator also provides you with recommendations, which are machine-learning generated based on the various emulations you have exercised. More on this in a later post, but for now consider the fact that Operator will show not only what occurred, but what you can and should do about it.
In our next post, we'll walk through how to install Operator, along with the considerations we made while designing the registration and log in process.