Prelude Operator should be run on a continuous basis, daily or weekly, depending on what your goals are. As an automated tool, you can hook Prelude Operator into continuous integration tools, such as Jenkins, to run as often as you’d like. This allows you to test much more frequently than manual red-teaming.
Prelude Operator was originally developed as a post-compromise tool, meaning it assumed you had breached a network already and established a foothold (agent). However, in modern versions of Prelude Operator, you can deploy a local agent and task it with initial access techniques, pointed at remote systems. Doing so allows you to hide your attacks through proxy hosts. For example, you can spin up an AWS EC2 server, deploy an agent on it, connected to your Prelude Operator desktop application. You can task that with initial access commands, allowing you to hide non-attributable, behind the EC2 proxy.
We get this question a lot. The ATT&CK framework is a great classification tool, creating a common language for attackers and defenders to use - however, covering every box on the matrix does not mean you are protected. As such, we aim to cover procedures which are impactful and most commonly seen in the wild. Note that we focus on procedures, not the techniques above them. There are 1000s of procedures for every technique, so covering a single one does not guarantee safety: we aim to create procedures that will keep you safe.
There are several differentiating points in Prelude Operator:
Prelude Operator has been tested on as many as 1,500 endpoints, simultaneously. However, this type of testing is strongly discouraged, as it is not representative of how adversaries actually work. One of our biggest goals is realistic emulation. As a hacker, you generally try to work through a network undetected and establishing too many footholds in a network can be noisy and open you up to getting caught. It’s typically better to run agents on 3-5 computers and rotate these computers between tests.
Contrary to popular belief, Prelude Operator is actually primarily a blue-team tool! The goal of automated red teaming is to lessen the need for manual red-teamers. While offensive security experts certainly use Prelude Operator, our primary audience is blue-team or defensive-minded professionals looking to secure their networks.
No, Prelude Operator can actually run any type of command in any language. Essentially, if you can do something from behind the keyboard, you can easily have Prelude Operator replicate the same thing.
By default, Prelude Operator’s agent executes shell commands such as PowerShell, command-line and bash, but it can easily be extended to execute commands in assembly, C, system calls, shell code and more.
By default, Prelude Operator agents take several defensive evasion precautions, such as having the ability to compile on the fly with a different file hash each time. We also make it easy for users to write their own agents and connect them to Prelude Operator. These evasion techniques encourage defenders to look for the effects of commands, instead of the actual Prelude Operator binaries.
Antivirus programs (AV) primarily look for file signatures of known malware and flags or quarantine them. More advanced AV will look at browser traffic and warn or block malicious websites.
Vulnerability scanners primarily scan software versions of installed applications, in order to identify known CVEs associated with the versions. This gives members the ability to identify when to upgrade software when patches are available.
By contrast, Prelude Operator executes actions that a hacker is likely to attempt. Oftentimes, these are benign actions that an AV or vulnerability scanner is not going to catch - but combining benign actions can result in a malicious attack. A good example of this is scanning local files, looking for passwords the user may have jotted down in a text file.
Mimic known threats to your organization by combining threat intelligence and continuous red teaming to emulate attacks.
Train yourself or your organization on real-world attacks using the first training platform integrated directly into an attack emulation platform. Perform attacks and learn how to stop them.
Prelude takes care of the complexity behind the scenes and delivers Operator as the first desktop application in autonomous red-teaming. Simple design and free to use, download it here.
New TTPs and training content added every week (and sometimes, daily). Stay up-to-date, automatically. Threat intelligence, adversary creation, TTPs and training content all updated within the desktop app.