 Hi everybody, I'm David Hunt. Today I'm gonna be giving a tool demonstration about Prelude operator, the command and control center that allows you to quickly run security assessments on your network, on your servers, or even on user behavior of people within your network. By way of introduction, I'm the CTO here at Prelude Research, where I lead the team building the operator platform. Before Prelude, I spent a couple of years at MITRE Corporation here in Washington, D.C. May be familiar with some of the work that I did, where I built and designed the Calvary framework, which is an autonomous adversary emulation platform fully open source and available on GitHub. Before MITRE, I spent a couple of years at places like FireEye, John Deere, Rockwell Collins, variety of other defense contractors, places within the IC, as well as the consulting and the research spaces. Most of my career has been spent on the offensive security side, although I've kind of interwoven some system administration, some software engineering, and a little bit of defensive security, depending on the role and the scenario that I was in. All right, let's dive right into the Prelude operator and get to know this tool. All right, to get started, we're gonna go to the prelude.org website and head directly to the download page. From here, we can go ahead and download the operator platform for whichever operating system that I wanna use. At this point, you're able to install operator the same way you would any other desktop application. When you open operator up for the first time, you'll be greeted with a login page that asks for your email. Go ahead and enter that in. That will fire off an access token to your email so you can prove that you are, in fact, the owner of that address. I'll go ahead and grab that now. All right, your authentication token will only be valid for 10 minutes, so make sure you use that pretty quickly. Once you log in, you'll be greeted with a dashboard. From here, you can get familiar with the different components that make up your command and control center. So before we dive into those components, let's take a quick second and describe exactly what this platform is intended to do. So operator is a C2, which is a command and control center, which allows you to run anywhere from fully autonomous to fully manual red team operations or penetration tests. What this allows you to do beyond just the offensive security testing buzzword, it allows you to test whether your defenses are appropriately configured. It allows you to test your user's behavior, the employees within your network. Are they behaving correctly on their computers? As our users are traditionally one of the biggest vulnerabilities within an organization. It also allows you to test the networks, the servers, the privileges, the configuration, the implementation of the different defenses. Is your antivirus working? Is your EDR configured appropriately? And so on and so forth. Operator is not a vulnerability scanner. It's not an antivirus. It is a tool for offensive security minded people to run security assessments. Okay, to get started, let's go ahead and minimize this top pain. So it give me a little bit more screen real estate. The first thing that you'll notice is a blinking green dot down here. This is meant to dry your eye in. And when I click it, it will show me a training flag that I should capture in order to get to know the system better. So you'll notice, as you kind of navigate through the different sections of operator, that there are training flags in the bottom right that are not yet captured. These are introduction flags that will teach you how to get the most out of operator. So the green one is the one you should start with. This will kind of encourage me and teach me how to run my first operation. So it'll start by introducing the terminology, understanding things like what is a TTP? What is an adversary? Which is a collection of TTPs? What is an agent or a remote access Trojan? And then finally, what is an operation? Essentially the process of taking an adversary and sending it to a collection of your agents to execute test your security. So this will teach you that it'll give you a variety of resource links that you can use for supplemental information. I'll close this for now, capture that later. And you can see that there's a variety of other training flags down here that I have yet to capture. I'm going to start by looking up here at the selected adversary. I can do one of two things. I can take one of our existing off-the-shelf adversaries that will have a chain of TTPs that work together that I can just build and deploy immediately. So I'll click this and this will build a two-ability adversary that according to the name, will capture screenshots on the target. Alternatively, I can click this plus button up here in the dock, which will create a blank canvas, a new adversary that I can fill in. I will call this one Hacker One. This has no procedure. So this one is prompting me to add procedures. I'll come back to that. Off to the left-hand side, I can see that I have currently selected my home computers. This is my range. This will show all of the computers that I have access to, that I have compromised on target. So operator ships with a single agent inside of your home range, which is named after your host name of your computer. So I can see that here that there are zero executing TTPs with nothing queued up. And I can see the last time it checked in was at 1620, just a few minutes ago. And it is using a pretty default encryption key in order to communicate between operator and itself. So if I click into the agent, I can see essentially the log of what occurred during this agent with a variety of options up here in the top right on the dock, which I'm able to do against that agent. Whenever I deploy an agent, sorry, whenever I deploy an adversary, the adversary will be sent to any of the agents that I currently have selected in my left-hand column here, which is currently home. All right, I think we have enough information for us to get started and see what kind of power operator has behind it. So let's go back to our hacker one adversary and TTPs to it. See that we have zero TTPs currently attached to this adversary. But what view that we're in now is essentially a library for procedures that we can use in order to add or remove any attacks that are built into the system to this specific adversary profile. I can search for them up here. I can select based off of procedure tags, which are essentially categories of attacks. Or I can show a change log of the new ones that have been pushed into operator over various time periods. There's about 400 procedures that are currently built and baked into operator. So you can use these across the whole spectrum of MITRE attack tactics and techniques and so forth. We're gonna go ahead and set up the tag to limit the 400 or so procedures currently in my view. We're gonna look at the crown jewel procedures. So crown jewels are going to be the important things on a computer network or a server, essentially the important things that an organization has or has access to that they do not want attackers to find. So by selecting this tag, we're able to see a variety of procedures that are connected or allow us to locate, find, steal, exfiltrate the crown jewels off of a computer or a network. So as I scroll down, note that every TTP is stored inside of one of these boxes. So this here represents a procedure. Every procedure is classified according to the MITRE attack matrix, has optionally tags. And then it's going to show you, aside from a name and description, it's gonna show you every operating system. We call this platforms that the procedure will work on. And then every executor, essentially the program on the target computer that the agent is running, that will execute the command. So for example, this Darwin, which is ascended in for Mac OS is going to run a shell command, which is this tar. Similarly, this works on Windows and PowerShell and Linux and Shell. So you can mix and match these different platforms and executors. Let's go ahead and add this procedure to hacker one. Scrolling down. Let's go ahead and add a few more. We'll add finding files on removable media. We'll add staging collected files, which is the process of copying a file from one location on a computer to another location. Go ahead and add admin shares, we're getting those. All right, let's go ahead and add this multiple windows, multiple executors on this Windows command. Let's go ahead and add creating a new directory. Now let's say that I am unsure about what one of these does. As far as a procedure, what do I would expect? Why would I want to do this? I can go ahead and select the training manual. And what this is going to do is it's going to pop open a verification, a flag for me to capture that may be easy, maybe hard, but it's going to show me all the different variations of this given procedure. It's going to show me a hacker's perspective, which is why they care about doing this in the first place. Basic variations that a hacker may attempt to do, what they expect to get out of this with links to additional procedures, how you could change, this is powerful, how you could change this given procedure to others within the system, and then how a defender may prevent and detect this. So I'll go ahead and say I understand this procedure, capturing that right now. Now, this is content that is developed in-house. We spend significantly more amount of time between us here at Prelude and people within the open source community that are constantly adding in new training flags and new material from our point of view on what procedures do and why we actually execute them from the offensive side. All right, let's go ahead and additionally add finding of recent files. This is a handy procedure that will locate every file that has been modified in the last 24 hours and just collect it. And finally, let's go ahead and add a procedure for exfil trading, anything we find off of the target systems. Now, one thing I'll highlight in this procedure is the concept of variables. So you'll see this syntax here. It's a hashtag and curly braces with a variable name inside of each one. So this command uses multiple variables. Now, generally you don't have to worry about these unless you're doing some advanced work with an operator to form your own chained attacks. But what's actually occurring here is as operator executes commands, essentially adversaries, it is learning information and chaining the output of some TTPs to the input of other TTPs. So it creates an autonomous chain that allows you to essentially take a whole bunch of procedures, toss them into a bucket, and then operator will take care of how does it order them, how does it chain them, how does it figure out intelligently what to do and when. And so operator will take that process on itself. You can jump in manually and add your own variables and add your own essentially manual control, but that is an optional thing if you feel comfortable doing so. All right, let's go ahead and take hacker one for a test drive. So we can see we have seven abilities and we have currently selected our home computers. Let's go ahead and deploy hacker one. All right, we can see that this agent is currently most of the way through the operation, has nothing queued up and it is currently executing a single TTP. There it went, it finished. It skipped a handful of the procedures over here so I can see those here. Otherwise everything that executed is gonna show up here on my dashboard. There are 33 procedures. We gave it seven TTPs, but it did execute 33 things there over the course of 30 seconds or so. Up here we can search for anything that we want to look for inside of the results. Maybe we're looking for certain usernames, email addresses, IOCs, whatever. As I scroll down, I'm gonna start at the bottom actually. So I'll use the scroll bar to the bottom. This is time-based. So the first thing that executed will be at the bottom. You can see it started by creating a new directory. We'll click here. So starting at the top, you can see the TTP command that ran. You can see the output as if you had just opened up the terminal on this given Mac book and using shell, executed this command, you would have gotten this output. Now we use our autonomous parsing and chaining commands together in order to pull out these indicators of compromise. I can see here it tried to identify this given output as a directory and a file. I know this is a directory using my human eyes. So I'm going to X out the file, removing that learned information. I'm overriding it. And I can still see the fact that I learned this one piece of information actually unlocked my ability to run a number of other procedures that are loaded into my instance of operator that I could run anytime I want. Closing this, I'll look at the second thing that ran, which is finding recent files. All right, here we go. I can find a variety of files, including video cuts that I've been taking this afternoon that it has located and deemed that these are important enough to show me. Scrolling down, I can see that it harshed out all of the files as a learned indicators of compromise, storing them as files that were found by running a T10L5 procedure. Now I can see that all of these files could be used to link me to staging collected files or even encrypting the files if I was running maybe a ransomware test. Moving up, I can see that there are a number of stage collected files commands that executed, likely one for every found file. I can see that the last two steps were successful. One was compressing the stage directory and then the last one was collecting or stealing the compressed stage directory from the target and sending it back to me on my command and control center here on operator. So I can open this up and I can see the curl statement that because I'm running everything local host, the IP address is local host, but it sent it over my HTTP server that's built into operator and it forwarded over uploading the file. So this is now in my control. All right, let's say it's time to run a network test off of my computer. I want to run it on an external computer, something else within my network, but not on my local host, natural security assessment. To do that, I'm gonna head over into operator's plugin section. And this is where we allow you to write your own extensions to operator. We shift with about a dozen plugins that do things from like importing atomic red team attack files to popping the attack navigator, the MITRE attack navigator right here on screen to things like a toolbox that tracks all of your GitHub projects. There's a bunch of different plugins here that add a significant amount of value, but we are going to kind of skip right over into the agent library and see what we have accessible. So the agent library is going to show me all of the agents that I can use associated to operator. You can write your own agents. This is an open framework. You can write an agent in any computer language you want and attach it over the interface over a number of different protocols, HTTP, TCP, UDP, FTP, GRPC, and a variety of additional protocols that we're working on. Third eye is the default agent. This is the name of the default agent for the built in agent that's in everybody's operator. This is the one that we ran our just last test on. NUMA is our default open source agent. You can go to GitHub, search for NUMA on our repositories. You'll find the going code up there. You can compile it yourself, read the code, change the code. You see this one will work over four different protocols and we give you pre-compiled binaries right here that you can download or you can download the source code if you don't want to head to GitHub. I'll go ahead and download Darwin. All right, have that downloaded. These file hashes for the downloads, by the way, are pre-compiled but they recompile every 30 minutes in order for them to get a different file hash. So your signature detection on the defensive side may struggle to catch them because they're constantly changing themselves to avoid detection. All right, since I downloaded NUMA, I'm going to open a shell, head to my download directory and I will mark NUMA as executable first and then I will start it. Now when I start NUMA, I can give it an optional parameter. In this case, I'll just call it David and I can give it an optional range, which I will call mine. All right, I received a new agent beacon right up here. You can see that came in going back to operator. I can see that I have a new mine range. Now inside of the mine range, I can see David is checking in currently green connected over TCP, which is the default protocol that NUMA uses. If you use nothing else, it will choose TCP. Now I can go ahead and execute and deploy an adversary against this agent and I can deploy this anywhere on my network. As long as I have connectivity back to operator, I can put it wherever I want. Now I can also open a reverse shell to my TCP based agents. Just that quickly, this gives me a full fledged reverse shell that allows me to drop to root, allows me to open up them. I can do all sorts of cool things from this perspective. I can also open up the settings. Cool thing here though, is I can change the contact point for the agent. So TCP is the default that I connected to. I can switch that over to say UDP and update. And this will actually hot swap the protocol being used by the agent. So now I can see over here, I'm using a UDP connection protocol. So the next thing I'm gonna do is I'm gonna go into the editor section, which is our database of procedures. So you saw some of these procedures before within the operate section when I was deploying Hacker One. If I wanna get my hands dirty and start modifying procedures, creating my own, learning about how to write payloads and attach them to procedures, you're gonna head here into the editor section. From here, I can search for anything that I want. So we'll say maybe find, maybe I can locate those find recent files that I ran before. And I can view all the different variations of this given procedure. From here, I can edit anything that I want. I can see all the different dependencies and things that I could learn from running this given procedure, add executors. Regardless, at any point, I can take any of these procedures that would work on my operating system and I can deploy it. It's a quick way to test. So I can select my range. In this case, I'll choose my NUMA agent on my mind range and I'll deploy it. There we go. I can see a pretty similar result is when I ran the Hacker One average. Here is some of these procedures have payloads. These are optional. In this case, a payload is a Python file. If I click on it, it'll show me a generic path. If you remember from before, this is a variable. It'll get filled in automatically. Now a payload is any arbitrary file of any extension of any size that you wanna write, any kind of malware that you may want to test in a security environment and you can attach it to the procedure. Now when the procedure runs before it executes whatever command it has, it will download the payload associated to the TTP and expect it to be on disk before it runs the TTP. All right, this is quite the report. So this is going to show me the range of agents that I wanna look at. It's going to show me start and end times to filter my report. And that's gonna give me a visualization of every adversary that I ran and all of the procedures and kind of how they fit together in almost kind of a linear way as far as how the procedures were run. So I can see here, all of this is clickable. You can open up all sorts of views. I can see all of the operations which are essentially adversary deployments that ran. In this case, I ran one Hacker One, clicking this, it will show me all of the procedures that ran in order within the operation, their status and so forth. I can see the ability to export the report into a Word document, into JSON or CSV if I wanna do something programmatic with my data. This is a fun area. This is a continuous training lab. If you wanna think of it that way, there's a number of free and open source training programs that are available here. And you can kind of pick and choose what you want to learn and how you wanna approach the process. The very first thing that I point people to is the introduction training program. This program will teach you how to use operator. So this will take you through about two dozen, capture the flag style learning modules that will look kind of like this. You'll get a challenge. In this case, deploy any adversary against any range. You'll get context as to why this may be important. A gauge as far as how people view the difficulty of this supplemental resource information and then a place to enter your challenge answer and see if you are getting it right and if you capture the flag. Another popular program is the Pink Badge program. I'll click into this one. I can view the history of my flags by clicking the green. Now the Pink Badge program is geared toward InfoSec, geared toward people with little to no security knowledge or experience, but may be interested and in parallel technical areas such as IT or InfoSec. Now Pink Badge will take you through a three week course for the final projects and it will aim to append red team or offensive skills to somebody that works in the technical field. So we go through all the different things. What is an antivirus? What's EDR? These come with a lot of audio recordings that you can listen to. They come with again challenges that you need to do every week, sometimes multiple times a week. These usually run a couple of hours a week to accomplish everything that you need to to stay on track with Pink Badge, but this is a self-paced program that allows you to essentially beef up your skills if you don't have them. Go into the cloud plugin, which I haven't installed yet, so let me go ahead and do that. Done. All right, and this is going to prompt me to enter in either my AWS or DCP credentials. All right, we're ready. I'll go ahead and save those. Now back to the main cloud plugin dashboard. I have a variety of options here with the gateway selected first. So a redirector is actually a really powerful micro Winix server deployed in AWS. Inside your AWS is your credentials. And what it will do is it will create a connection between your operator instance on your desktop and that Winix server that it will provision for you via in a reverse SSH tunnel. And it will tunnel the connection as agents hit the redirector. It'll tunnel that connection back into your operator instance for you, kind of like Socat if you use to that or Netcat which you could use for this purpose, but it will take care of all of that for you and it will create a very simple way for you to accept internet beacons. Let's go ahead and start with the gateway. And let's go ahead and deploy. All right, success. My redirector is ready. Now in order to actually use it, I need to head back to the operate section and I need to go to the tunnel icon. Now I can see here that I have in orange meaning it's in the process of connecting. I can see that I have a host that has an EC2 address. Makes sense. That's where I deployed my redirector. And I am just waiting for it to go green in order for me to connect to it. All right, there we go. I was able to click on it, connect it. Now I have a tunnel open that is my reverse SSH tunnel between operator and this address. And head back to my local computer where I have NUMA running and redeploy NUMA. And this time I'm going to do it with I'll say the name of EC2 server. And the address will be what I copied and port 2323, which is the default TCP port. All right, received my new agent. So let's say we want to connect another external computer with an agent on it back to my operator. So not a local to local test. I'll stop my agent. I will head back to Cloud plugin where I will select a Winnick server to spin up. I will choose to drop a NUMA agent on it, pre-compromise it. And then I will select the default redirector which is the one that I currently have active. Let's go ahead and do that. All right, I have a new server being provisioned inside of EC2 right now. I can head over to the operator section. I can select my red computers. This is my old one. Let me go ahead and clean this one up for now. I gotta archive it. I'm gonna go ahead and delete it. I don't plan on using it again. And so what I'm doing now is I'm waiting for a beacon to come in for my newly provisioned Linux server. So let's give that just a minute. All right, there we go. We just got our beacon coming from an IP address in our EC2 space. So let's go ahead and check our ranges. I can see we have a new range called Cloud computers. And it looks like we have a green agent. Clicking on the agent, I can go ahead and open a reverse shell. I can look around, see where I am and treat it as if it were a compromised machine. I can go ahead and I can deploy an adversary against it. I can view all of my results. Kind of curious, what did it find for recent files on a newly provisioned EC2 machine? Authorize keys, that makes sense. Finally, I'm gonna highlight the operator support repository on GitHub, which is our active spot for support as an open source project. And it is our active spot for feature requests, bug reports or issues, a variety of tools that are open source that we make available, plugins that are open source you can import into your operator instance, even something called translators, which we made open source, which is the ability to extend the protocols that your operator instance will accept. So if you wanted to add DNS C2 or you wanted to add DNS over HTTPS, anything that you want to add here, maybe SSH, you can go ahead and create your own translator, use ours as examples. We even have example agents that go along with these. And we have readmes and guides and so forth that will kind of walk you through things that I showed today, but also some things I didn't show you today. I hope you enjoyed today's tool demonstration of preload operator. I encourage you to reach out to me anytime you want via Twitter. It's an easy way to get me at Private Ducky or also via the operator support GitHub repository. We're very active in communicating with everybody in the open source as we try to make a lot of what we do here available to you via open source and free tooling. Reach out anytime.