diff --git a/docs/about/machine-details.md b/docs/about/machine-details.md
index 7bf8d3c..1827c38 100644
--- a/docs/about/machine-details.md
+++ b/docs/about/machine-details.md
@@ -1,14 +1,14 @@
# Node Details
This section provices details on each node and what surface area is available. So just what is going on on each virtual machine?
-## Elastomic
-The "`elastomic`" node is the first and only _required_ node, and is the crux of the entire project. It's essentially a "Purple Teaming" control box that is used to **both** _execute attacks and capture logs of those attacks_.
+## Elastic
+The "`elastic`" node is the first and only _required_ node, and is the crux of the entire project. It's essentially a SIEM that is used to capture logs of attacks carried out by the red box `redops`.
#### Features
* Elasticsearch
* Kibana
-* Atomic Redteam UI
+* Prelude Operator UI
* Powershell
#### Enabled Services
@@ -60,4 +60,19 @@ The intent of the `ts.centos7` box is emulate hosting the typical services hoste
* Rsyslog
* Samba
+## Redops
+
+The intent of the redops box is a Red Team box that is used to execute attacks against the victim machines.
+
+#### Features
+
+* Built from Debian 11 ISO
+* One user `vagrant`
+* All updates applied during build process
+* Includes VM guest additions
+
+#### Enabled Services
+
+* Prelude Operator
+
> More details on the usage of each tool can be found in the [Tool Usage Section](https://docs.thremulation.io/tool-usage/).
\ No newline at end of file
diff --git a/docs/about/overview.md b/docs/about/overview.md
index 3855a79..7d8e33c 100644
--- a/docs/about/overview.md
+++ b/docs/about/overview.md
@@ -1,5 +1,5 @@
# Overview
-
+(Image below needs updated)
@@ -25,6 +25,7 @@ This project has many practical use cases, and we're excited to see how it's use
## Workflow
Let's look at an overview of the mini-range and demonstrate a basic exercise workflow.
+(Image below needs updated)
@@ -32,10 +33,10 @@ Let's look at an overview of the mini-range and demonstrate a basic exercise wor
-1. Access the `ts.elastomic` control box interfaces
+1. Access the `ts.elastic` control box interfaces
1. Choose your target host (currently windows10 or centos)
2. Launch either a prebuilt threat tactic / technique or your own custom
-3. Victim machines report back to `ts.elastomic` where artificacts can be observed
+3. Victim machines report back to `ts.elastic` where artificacts can be observed
diff --git a/docs/about/requirements.md b/docs/about/requirements.md
index 6133712..823057b 100644
--- a/docs/about/requirements.md
+++ b/docs/about/requirements.md
@@ -15,15 +15,18 @@ Bottom line: this project should provide a usable range on a _relatively modern_
The listing of resources allocated to each virtual machine are listed below (note that virtual cpus == threads):
-- Elastomic:
+- Elastic:
- virtual memory = `4G`
- virtual cpus = `2`
-- Elastomic:
+- Windows:
- virtual memory = `2G`
- virtual cpus = `2`
-- Elastomic:
+- Centos7:
- virtual memory = `1G`
- virtual cpus = `1`
+- Redops
+ - virtual memory = `2G`
+ - virtual cpus = `2G`
These values are certainly tunable, but this is a good starting point. All details can be found in the [Vagrantfile](https://github.com/thremulation-station/thremulation-station/blob/devel/vagrant/Vagrantfile).
diff --git a/docs/community.md b/docs/community.md
index 577924b..a02fbfc 100644
--- a/docs/community.md
+++ b/docs/community.md
@@ -1,10 +1,10 @@
# Community
## Discord
-There are several ways to connect with the project community whether that's for support, contributing content, or just learning from other infosec nerds. The primary method should be [Discord](https://discord.gg/mtNXN4QjHh)!
+There are several ways to connect with the project community whether that's for support, contributing content, or just learning from other infosec nerds. The primary method should be [Slack](https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw)!
!!! info "Info"
- Discord server invite URL [https://discord.gg/mtNXN4QjHh](https://discord.gg/mtNXN4QjHh)
+ Slack invite URL [https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw](https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw)
## Getting Connected
diff --git a/docs/contribution.md b/docs/contribution.md
index e928c0a..bfc44ba 100644
--- a/docs/contribution.md
+++ b/docs/contribution.md
@@ -17,7 +17,7 @@ Please create an Issue the proper repository:
### Community
-Please join the [Discord](https://discord.gg/fdNjAbHyHz).
+Please join the [Slack](https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw).
### Email
diff --git a/docs/images/operator-mimi.png b/docs/images/operator-mimi.png
new file mode 100644
index 0000000..c5f02f7
Binary files /dev/null and b/docs/images/operator-mimi.png differ
diff --git a/docs/images/threm-operator-range.png b/docs/images/threm-operator-range.png
new file mode 100644
index 0000000..9840236
Binary files /dev/null and b/docs/images/threm-operator-range.png differ
diff --git a/docs/index.md b/docs/index.md
index 6b6ae4f..6b9983a 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -23,7 +23,7 @@
-Thremulation Station is an approachable small-scale threat emulation and detection range. It leans on Atomic Red Team for ***emulating*** threats, and the Elastic Endpoint Agent for ***detection***.
+Thremulation Station is an approachable small-scale threat emulation and detection range. It leans on Prelude Operator for ***emulating*** threats, and the Elastic Endpoint Agent for ***detection***.
!!! info "TL;DR"
If you're ready to skip the reading and jump into things, head to the [Quickstart / Installation](https://docs.thremulation.io/quickstart/installation/) section.
@@ -35,8 +35,7 @@ There are a lot of tools and moving pieces, but the main building blocks are:
- Elasticsearch
- Kibana
- Elastic Endpoint Agent
-- Atomic Red Team
-- Caldera
+- Prelude Operator
## Project Goals
diff --git a/docs/quickstart/deployment.md b/docs/quickstart/deployment.md
index 49849dc..1f33b8b 100644
--- a/docs/quickstart/deployment.md
+++ b/docs/quickstart/deployment.md
@@ -18,7 +18,7 @@ Thremulation Station comes with a terminal control interface called `stationctl`
- check the status of a current range
- management tasks on a current range
- reloading / rebuilding boxes
- - data reset (clearing indexes)
+ - data reset (clearing indexes, clearing alerts/signals)
- various troubleshooting steps
@@ -58,7 +58,7 @@ A "deployment" consists of selecting the nodes (VMs) you want, downloading them,
#### Quick Deployment
-A Quick Deployment is the first and fastest option. It enables all VMs included in the range, meaning the control machine, a Windows10 workstation, and a Linux server.
+A Quick Deployment is the first and fastest option. It enables all VMs included in the range, meaning the attack machine, the data collector/SIEM, a Windows10 workstation, and a Linux server.
@@ -85,7 +85,7 @@ A Quick Deployment is the first and fastest option. It enables all VMs included
#### Custom Deployment
-A custom deployment works generally the same way as quick one, but provides you the option to choose what target VMs to deploy alongside the control (ts.elastomic) box.
+A custom deployment works generally the same way as quick one, but provides you the option to choose what target VMs to deploy alongside the data collector, (ts.elastic) box.
##### Example:
A great usecase for this would be if you're _very_ limited on hardware resources, and you only intend on emulating and detecting threats against a linux server. You have the flexibility to say (N)o to Windows and (Y)es to Linux, which would look like so:
diff --git a/docs/quickstart/functions-check.md b/docs/quickstart/functions-check.md
index 2df67b1..9e5d026 100644
--- a/docs/quickstart/functions-check.md
+++ b/docs/quickstart/functions-check.md
@@ -12,40 +12,86 @@ Now that all VMs are up and running, let's validate that everything is working a
This functions check will demonstrate a general workflow using some of the major tools available, as well as validate that all nodes are communicating corectly.
-1. From your terminal run $ `vagrant ssh ts.elastomic` to establish as shell session on the combo logger / attacker box. Your prompt will update to indicate you're connected to the elastomic box.
+1. From your terminal run $ `vagrant rdp ts.redops` to establish an RDP session on the attacker box. Your prompt will update to indicate you're connected to the redops box.
-1. Then, enter `pwsh` to drop into a Powershell session. Now it is time to choose what test or attack you would like to run against the remote Windows 10 box. You'll see your prompt change to `PS /home/vagrant> `.
+2. Then run `./Operator.appimage` on the Desktop or run `~/Desktop/Operator.appimage` and accept the TOS. Operator can be used with a paid Pro/Enterprise account but by default will be set up with a Community account.
-1. You can browse the available tests by referencing the [Atomic Redteam Docs](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-Markdown/windows-index.md).
+3. You can browse the available Community tests/TTPs as well as everything available to the community by referencing the Community repo here: [Prelude Community TTPs](https://github.com/preludeorg/community/tree/master/ttps) You can also reference additional TTPs that be added such as Atomic Red Team at [Atomic Redteam Docs](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-Markdown/windows-index.md).
-1. For this demonstration we will conduct a simple example technique and test. It will use Powershell to download [Mimikatz](https://github.com/gentilkiwi/mimikatz) and then dump credentials on the system. More info about this specific technique and test can be found here: [T1059.001 TestNumber 1](https://attack.mitre.org/techniques/T1059/001/)
+4. For this demonstration we will conduct a simple example technique and test. It will use Powershell to download [Mimikatz](https://github.com/gentilkiwi/mimikatz) and then dump credentials on the system. More info about this specific technique and test can be found here: [T1059.001 TestNumber 1](https://attack.mitre.org/techniques/T1059/001/)
-1. Before we can run this test ___against the Windows 10 box___ we first need to setup a Powershell Session over SSH to the Windows 10 box.
+1. Before we can run this test ___against the Windows 10 box___ we first need to RDP into the Windows box and start the Pneuma Agent for Operator. We can use `vagrant rdp ts.windows10` or manually RDP in.
+
+ !!! info "Info"
+ We could have the agent start when the lab is brought up by changing the last line in `download-pneuma-agent.ps1`. But by default, the agent is not running. If it starts by default, Establishing an RDP session or creating a new PSSession in Powershell will work. Details for each below.
+
+### RDP
+
+1. RDP into `ts.windows10` with `vagrant rdp ts.windows10`.
+2. Navigate to `C:\Pneuma` and double-click `start-pneuma.ps1`
+
+### PSSession (agent started)
+If you want to use PSSession and the agent is enabled, on either `ts.elastic` or `ts.centos`, follow the instructions below.
1. Create a necessary variable by running the below command. Enter "yes" and the password `vagrant` if prompted:
```powershell
- $sess = New-PSSession -Hostname 192.168.33.11 -Username vagrant
+ $sess = New-PSSession -Hostname 192.168.56.11 -Username vagrant
```
!!! info "Info"
What does this do? We are creating a variable called `$sess` and setting it's value to our new session we just created using the [New-PSSession](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.1) Powershell cmdlet.
-1. Take a moment to look at the syntax we're going to use to launch our "attack" against the remmote target (`ts.windows10`):
+### PSSession (agent not started)
+If you want to use PSSession and the agent is not enabled, on either `ts.elastic` or `ts.centos`, follow these instructions instead.
+
+1. Create a necessary variable by running the below command. Enter "yes" and the password `vagrant` if prompted:
```powershell
- Invoke-AtomicTest # Run Atomic Test
- T1059.001 # Technique ID
- -TestNumbers 1 # TestNumber
- -Session $sess # Connect using our session variable
+ $sess = New-PSSession -Hostname 192.168.56.11 -Username vagrant
```
-1. Run the following command to kick things off:
+2. Take a moment to look at the syntax we're going to use to start our session with the remmote target (`ts.windows10`):
```powershell
- Invoke-AtomicTest T1059.001 -TestNumbers 1 -Session $sess
+ Invoke-Command # Invoke cmdlet to start some binary/script
+ -FilePath # Define where the script lives
+ -Session $sess # Connect using our session variable
```
+3. Run the following command to kick things off:
+
+ ```powershell
+ Invoke-Command -FilePath C:\Pneuma\start-pneuma.ps1 -Session $sess
+ ```
+
+### Operator
+
+We should see our `ts.windows10` victim show up in our `thremulation range` in Operator. From here we can execute a TTP easily.
+
+1. Navigate to Editor and search for `PowerSploit Invoke-Mimikatz`
+2. Click `Deploy`
+
+
+
+
+
+
+
+
+
+3. Once you click `Deploy` you should see the following:
+
+
+
+
+
+
+
+Click `Deploy` once more!
+
+### Kibana
+
1. Once this is finished, go back to the Discover tab in Kibana: `http://localhost:5601/app/discover#/`
1. In the search bar type "`mimikatz`" and hit Enter. You should see results filtered to show the events matching the Mimikatz attack you just executed.
@@ -69,19 +115,10 @@ Clean logs -- clean mind right? While the data in Kibana is separated by the fac
!!! info "Info"
The term "target systems" refers to the `ts.windows10` and `ts.centos7` boxes.
-Most of (if not all) Atomic Red Team tests come with a cleanup command to clear your target system before executing another test.
-
-1. In order to cleanup our Mimikatz test we can run the same command we used to execute it this time with a `-Cleanup` option at the end.
-
-1. Run the following command to clean house:
-
- ```powershell
- Invoke-AtomicTest T1059.001 -TestNumbers 1 -Session $sess -Cleanup
- ```
#### Attacker / Logger System
-The "control" node that is used to perform all attacking and logging operations is the `ts.elatomic` box. We can use the `stationctl` CLI to perform a data reset. This will clear all existing Elasticsearch index data to wipe the slate clean. Station control should be executed from the vagrant/ folder, so ***ensure*** that you're in the right folder: `/vagrant/`.
+The "control" node that is used for logging operations is the `ts.elastic` box. We can use the `stationctl` CLI to perform a data reset. This will clear all existing Elasticsearch index data to wipe the slate clean. Station control should be executed from the vagrant/ folder, so ***ensure*** that you're in the right folder: `/vagrant/`.
1. You can perform a "Clear Data" operation with the following commands:
diff --git a/docs/quickstart/initial-access.md b/docs/quickstart/initial-access.md
index f0f97f0..0a4f370 100644
--- a/docs/quickstart/initial-access.md
+++ b/docs/quickstart/initial-access.md
@@ -31,18 +31,20 @@ This provides some very valuable information on the status of our local range:
The environment is designed for users to interact with 2 primary interfaces:
-- Atomic Redteam - **execute** threats
+- Prelude Operator - **execute** threats
- Kibana WebUI - **detect** threats
-### Atomic Red Team
+### Prelude Operator
-This adversary emulation toolset is accessed by ssh'ing into the `ts.elastomic` box and starting up a powershell session.
+This adversary emulation toolset is accessed by rdp'ing into the `ts.redops` box and starting up `Operator.appimage` on the Desktop.
1. From the vagrant/ directory:
- - $ `vagrant ssh ts.elastomic`
-1. Start a powershell session:
- - $ `pwsh`
+ - $ `vagrant rdp ts.redops`
+1. Start Operator:
+ - $ `cd ~/Desktop`
+ - $ `./Operator.appimage`
+ - Click `Operator.appimage` and accept the TOS
### Kibana Web Interface
diff --git a/docs/quickstart/installation.md b/docs/quickstart/installation.md
index 33bb11b..6961ea0 100644
--- a/docs/quickstart/installation.md
+++ b/docs/quickstart/installation.md
@@ -19,6 +19,8 @@ Let's kick the process off by installing the required software for your host pla
+**NOTE: The deployment may or may not work with macOS due to various issues with the ecosystem. Docs will be updated once we feel like it is reliable again. If you are feeling adventerous, try the below steps!**
+
=== "macOS"
We have used macOS for the lion's share of the development and testing of the project (and currently provides the most validated experience).
diff --git a/docs/support/stationctl.md b/docs/support/stationctl.md
index 6a8ce16..a67bfd2 100644
--- a/docs/support/stationctl.md
+++ b/docs/support/stationctl.md
@@ -63,6 +63,7 @@ This menu will see some heavy use, and it's broken down into 2 sections:
### Data Reset and Troubleshooting
6. Clear Data - _delete data in all indexes_
-7. Soft Reset - _revert to original snapshots_
-8. Hard Reset - _destroy all vms_
-9. Nuke and Pave - _destroy all vms and boxes_
\ No newline at end of file
+7. Clear Alerts - _delete all open signals in the siem index_
+8. Soft Reset - _revert to original snapshots_
+9. Hard Reset - _destroy all vms_
+10. Nuke and Pave - _destroy all vms and boxes_
\ No newline at end of file
diff --git a/docs/tool-usage/caldera-usage.md b/docs/tool-usage/caldera-usage.md
deleted file mode 100644
index 9c42cba..0000000
--- a/docs/tool-usage/caldera-usage.md
+++ /dev/null
@@ -1,386 +0,0 @@
-# Caldera Basic Usage Lab
-
-
-
-### Goals
-At the end of this lab you will be able to:
-
-1. Startup the Caldera server
-2. Understand and use the Caldera interface
-3. Configure and deploy a Caldera agent to a “victim” host 4. View and create adversary profiles
-5. Create and run an operation
-6. Hunt for operation activity in Kibana
-
-### Pre-Reqs
-
-Let's get set up for this lab:
-
-1. Vagrant up the elastomic and windows10 box:
-
- - `vagrant up ts.elastomic ts.windows10`
-
-2. Establish an RDP session with the windows10 box with the RDPclient of your choice, with the following data:
-
- ```
- host:192.168.33.11
- user:vagrant
- pass:vagrant
- ```
-
----
-
-## Startup
-
-Caldera comes pre-installed on the elastomic host, and is located in the /home/vagrant directory. In order to utilize it you only need to start up the Caldera server, so let’s do that.
-
-1. First ssh into the elastomic box with the following command: `vagrant ssh ts.elastomic`
-
-1. Once you are ssh’d into elastomic, move into the Caldera directory: `cd caldera`
-
-1. Start up the Caldera server by running: `python3 server.py — insecure`
-
-1. The server startup will take at most 30 seconds, after which we can validate by pointing your local browser to `http://localhost:8888`. You should see the following:
-
-
-
-
-
-
-## Interface
-
-- Now that we have our server running hosted locally, we can login and take a look around
-- Default credentials for your Caldera server are: `admin:admin`
-- After successfully logging in you should see the Caldera welcome page
-
-
-
-
-
-
-- Click on the hamburger menu next to navigate in the top left corner to dis play the different options Caldera provides
-
-
-
-
-
-
-- The primary menu options you will be concerned with are the Agents, Adversaries, and Operations sections.
-
-## Agents
-
-- We will start with the agents tab, so go ahead and click it
-
-
-
-
-
-
-- This tab allows us to configure, create, and deploy an agent on one of our “victim” boxes that will communicate back to our Caldera server where we can run our operations from.
-- Before we create our agent, lets explore some of the up front configuration options we have available
-
-#### Beacon Timer
-
-Beacon timer allows you to specify how long your agent will wait to check in and send back data. By default, these values are set to 30 and 60 which is fine. You may want to change these if you are emulating a specific adversary, or just trying to remain undetected from any hunting the defender may be doing.
-
-
-
-
-
-
-#### Watchdog Timer
-
-Watchdog timer lets you set the number of seconds to wait once the server is unreachable, before killing an agent.
-
-
-
-
-
-
-#### Untrusted Timer
-
-Untrusted timer sets the number of seconds to wait before marking a missing agent as untrusted.
-
-
-
-
-
-
-#### Implant Name
-
-The base name of newly-spawned agents. If necessary, an extension will be added when an agent is created e.g splunkd will become splunkd.exe when spawning an agent on a Windows machine.
-
-
-
-
-
-
-#### Bootstrap Ability
-
-Bootstrap ability is a comma-separated list of ability IDs to be run on a new agent beacon. By default, this is set to run a command which clears command history.
-
-
-
-
-
-
-- Now that we understand the available configuration options, lets go ahead and generate a new agent for us to deploy to our windows10 box
-- We are going to use the default values for this test, so go ahead and choose “click here to deploy an agent” button and you will see the following option
-
-
-
-
-
-
-- If you click the dropdown for “Choose an agent” you will see anumber of options
-
-
-
-
-
-
-- Each of these agents provide a brief description
-- The only two I have tested are "54ndc47" and "Manxagents"
-- For general purposes, use the 54ndc47 agent as it was developed directly for use with Caldera
-- Choose the 54ndc47 agent and select the “Allplatforms” dropdown to choose your OS
-- For this lab, we will choose windows for our windows10 host
-- For the app.contact.http field, you will supply the ip or url of your Caldera server: `192.168.33.10:8888`
-- Caldera generates a Powershell command to download and execute the Caldera GoLang agent on your windows10 host
-
-
-
-
-
-
-- Copy that command in full and lets go over to our windows10 RDP session
-- Open a Powershell prompt as administrator
-
-
-
-
-
-
-- Now, paste yourCaldera agent Powershell one-liner and hit enter to download and execute the agent
-- Once this is done, we can go back to our Caldera server GUI
-- Click the "x" in the top right corner of the agent selection box you were in, and you should now see an agent has checked into the Caldera server
-
-
-
-
-
-
-- Before we move on to emulating adversary activity, let's explore some of the information the agent provides us
-- As you can see if gives a uniqueagent id, the host, protocol, agent, process id, and if the agent is running in a privileged context or not.
-
-- But if we click on the green process id, we can see a lot more details
-
-
-
-
-
-
-- We have a much more detailed view of our agent to include parent process id, location of our executable, and the user we are running as
-- Wealsoaregiventheabilitytoeditcertainfieldsdenotedby*andkill our agent
-- Nowclickthexinthetoprighttoleavethisview
-
-
-## Adversaries
-
-- Select the hamburger menu in the top left of your screen and click the adversaries tab which will open and drop you down to the following screen
-
-
-
-
-
-
-- As you can see the adversaries tab, allows us to create our own custom profile (adversary) or view the profiles already created within Caldera
-- Let's take a look at a pre-made adversary profile so we can explore what makes up a profile
-- Click the “Select an existing profile” dropdown and select the Enumerator profile
-
-
-
-
-
-
-- Enumerator is the name of the profile
-- Enumerate Processes in all theways is a description of the profile
-- Beneath ordering you can see the choose TTPs and in what order they are to be executed
-- These are the basic building blocks of an adversary
-- Lets look at what one of these TTPs looks like up close
-- Click on the WMIC Process Enumeration block, andyoushouldseethe following screen
-
-
-
-
-
-
-- We can see everything about this specific TTP: unique id, name, description, tactic, technique id, and technique name.
-- Below the generic information, you can see what platform it is compatible with and what is being utilized to execute this technique
-- Scroll down further and you will see the command that is being executed, along with a cleanup command and timeout value
-- Now, click the "x" in the top right corner of the screen and we will create our own profile to execute on our “victim”
-- Under profiles, change the slider from "view" to "add"
-
-
-
-
-
-
-- I’m going to use the profile name of "Test" but you can use whatever name you like
-- Next, I will fill out a clear description e.g. “a set of TTPs for displaying Caldera’s functionality”
-
-
-
-
-
-
-- Let's add some abilities to our profile
-- Click the +add ability selector on the right side of your screen, which will pop up a familiar menu
-- Let's select a TTP: discovery tactic, T1007 System Service Discovery, and Discover System Services ability
-
-
-
-
-
-
-- If you scroll down, you will see the command being run is the Powershell cmdlet `Get-Service` executed by Powershell as evidenced by the psh executor
-- Click the green add to adversary button in the bottom left of the screen to add this TTP to our profile
-- You can see we now have added this TTP as the first step in our attack
-
-
-
-
-
-
-- I’ve added a second attack ability -- you can add as many as you wish, but for my purposes here this will be fine
-- Save this profile and move on to executing it with our agent on the windows10 box
-- Once saved, you will see "Adversary Saved"!
-
-
-
-
-
-
-
-
-## Operations
-
-- Scroll up and click the hamburger menu in the top left of the Caldera interface, and select the Operations tab to display the following screen:
-
-
-
-
-
-
-- There are currently no operations created, so clicking the“Operations” dropdown will not display anything... so let's create our own operation
-- Click the slider to change it from view to add
-- This allows you to specify a number of options in order to configure your operation successfully
-
-
-
-
-
-
-- I will name it "Operation Test"
-- Click Basic Options and we'll cover what this provides:
-
-
-
-
-
-
-- The first dropdown sets your group and by default all agents are added to the “red” group which is what I have selected
-- The second dropdown sets the profile you would like this operation to run. I have selected the Test profile I created earlier
-- The third dropdown sets the option to close this operation orleave it open for future execution. I have set this to auto close since this is a lab
-- The last dropdown sets the operation to run immediately after starting, or pausing for you to inspect it. I have set it run immediately
-- Click Basic Options to close it and click Autonomous
-
-
-
-
-
-
-- The first dropdown sets the operation to run autonomously or manually with approval of each TTP executed
-- The second dropdown sets which planner you will utilize to execute the operation. A planner is a module within CALDERA which contains logic for how a running operation should make decisions about abilities to use and in what order
-- The final dropdown sets the facts you will use during the operation. A fact is an identifiable piece of information about a given computer. Facts are directly related to variables, which can be used inside abilities
-- Now click "Autonomous" to close it and click on "Stealth"
-
-
-
-
-
-
-- The only dropdown here allows for you to select a number of obfuscation techniques to obscure the commands you run on the host system
-- The second field sets the jittervalue. Agents normally check in with CALDERA every 60 seconds. Once they realize they are part of an active operation, agents will start checking in according to the jitter time, which is by default 2/8. This fraction tells the agents that they should pause between 2 and 8 seconds (picked at random each time an agent checks in) before using the next ability
-- The visibility slider lets you set how stealthy your operation will remain. How visible should the operation be to the defense. This defaults to 51 because each ability defaults to a visibility of 50. Abilities with a higher visibility than the operation visibility will be skipped
-- Click Stealth to close it
-- Don’t click Schedule. Schedule allows for scheduling this operation for a later time, which we will not be doing in this lab
-- Now click start to begin you roperation and select include agent output
-
-
-
-
-
-
-- There is a lot here, but much of it is self-explanatory
-- The first option to note is the ability at the top of the screen to stop, pause, play, and skip the operation
-- Another option is the ability at any time to switch your operation from an autonomous to a manual one
-- Now we can see that our Discover System Services ability was executed on the host and since we enabled the inclusion of agent output if we can click the star at the end of the ability line we should be able to see the output from the command
-
-
-
-
-
-
-- Click the x in the top right corner to return to the operation screen
-- Congratulations!! You have successfully deployed an agent, created an adversary profile, created an operation and run that profile against a host.
-- Now, let's cleanup up the range environment
-
-## Clean Up
-
-- Normally you might want to save all operations and profiles you create, but in this instance we'll get rid of them so you can start fresh
-- First, we will delete this operation. Go ahead and click the green delete button located under download report which will revert your screen back to the original operations screen
-- Next, click the x in the top left corner of the operations tab to remove it from your interface
-- You should now be on the profiles tab which you can do the same thing in. Click the green delete profile button, click ok and then the red x in the top left hand corner
-- For the final piece, lets kill our agent and remove it from the agents tab
-- Click the green agent PID and select kill agent then select ok
-- Wait for the agent PID to turn red or refresh the Caldera browser tab and go back to the agents tab. This may take a minute or two depending on the agents configuration
-- Once the agent shows as terminated, click the red x at the end of it to remove it from your view and you are all cleaned up....aside from one thing. The windows box.
-- If you want to ensure a clean windows box you can use the stationctl management menu to perform a soft reset and revert the windows box back to a clean instance taken upon deployment
-
-
-## Thrunting
-
-- Now lets switch over to our Kibana session and go to the Discover tab. Select the `logs-*` index
-
-
-
-
-
-
-- The best way to view the activity we conducted on our host is to filter down the data to just want we want to see in this case I want to see process creation events and I want to display the user, parent process name, executing process name and command line.
-
-- Since the agent we used was named "Splunkd", filtering down the wanted activity will be easy.
-
-
-
-
-
-
-Let's walk through what's been done here:
-
-- I've filtered the data set using the winlog channel field which contains the different event subscriptions we have available to us. Since we want a specific windows event ID, I chose the Security channel.
-
-- I then wanted to specify the process creation event id of 4688, which I did by utilizing the event.code field.
-
-- Lastly, I knew the name of my implant was Splunkd so I filtered on the parent process name field to specify the Splunkd process name
-
-- To view the specific fields I wanted to see, I can simply search for the field names on the left hand side and added them to my table
-
-- As you can see, we have this Splunkd.exe spawning Powershell.exe as the user vagrant on the windows10 host to run the Get-Service command
-
-- There are a number of different detections we could write for this, but that is a lab for another day.
-
----
-
-## Conclusion
-
-Hopefully this lab helped you gain a basic understand of Caldera, how a C2 framework works and how to hunt the activity Caldera conducts using Kibana.
\ No newline at end of file
diff --git a/docs/tool-usage/index.md b/docs/tool-usage/index.md
index 6a1cf24..c7f2c45 100644
--- a/docs/tool-usage/index.md
+++ b/docs/tool-usage/index.md
@@ -20,15 +20,11 @@ To put threat emulation in layman’s terms, it’s “ethical hacking” — a
The premise of red teaming is comparable to the old sports saying, "the best offense is a good defense." Red teaming helps defenders learn about new adversary techniques.
-To provide threat emulation, we have used Red Canary's open source project, [Atomic Red Team](https://atomicredteam.io) and MITRE's [CALDERA](https://github.com/mitre/caldera) project.
+To provide threat emulation, we are using Prelude Operator: https://www.prelude.org/
-### Atomic Red
-Atomic Red Team is a library of simple tests that every security team can execute to test their defenses. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks.
-
-
-### Caldera
-CALDERA™ is a cyber security framework designed to easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response.
+### Prelude Operator
+Prelude Operator has a library of simple tests that every security team can execute to test their defenses. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks. Additionally, Operator can take advantage of other libraries of TTP's such as Atomic Red Team. If you/your team is taking advantage of Pro TTP's you may sign in with your account for Prelude as well to get additional functionality.
## Threat Logging & Detection
diff --git a/docs/tool-usage/operator-usage.md b/docs/tool-usage/operator-usage.md
new file mode 100644
index 0000000..ab15674
--- /dev/null
+++ b/docs/tool-usage/operator-usage.md
@@ -0,0 +1,57 @@
+# Prelude Operator Basic Usage
+
+
+### Goals
+At the end of this lab you will be able to:
+
+1. Start Prelude Operator
+2. Understand how to use Prelude Operator
+3. Start Pneuma agents that have been staged on the "victim" hosts.
+
+
+### Pre-Reqs
+
+Let's get set up for this lab:
+
+1. Vagrant up the redops and windows10 box:
+
+ - `vagrant up ts.redops ts.windows10`
+
+2. Establish an RDP session with the redops box with the RDPclient of your choice, with the following data:
+
+ ```
+ host:192.168.56.14
+ user:vagrant
+ pass:vagrant
+ ```
+
+---
+
+## Startup
+
+Operator comes pre-installed on the redops host, and is located in the /home/vagrant/Desktop directory. In order to utilize it you only need to start Operator, so let’s do that.
+
+1. Click `Operator.appimage` on the Desktop. Accept the TOS. Operator will do the rest and will be ready for connections in 15-20 seconds after launch.
+
+## Agents
+
+To get agents communicating with Operator, we need to start the Windows agent.
+
+Establish an RDP session with the windows10 box with RDP client of your choice with the following data:
+
+ ```
+ host:192.168.56.11
+ user:vagrant
+ pass:vagrant
+ ```
+
+Navigate to `C:\Pneuma` and run `start-pneuma.ps1`
+
+After a few seconds the agent will connect to Operator and you will receive a notification of the check-in.
+
+A number of options can be changed with the Agent such as the communication method, the check-in interval, etc.
+
+The docs for Operator are within the application itself but a good quickstart guide is also available on their GitHub here: [Operator Docs](https://github.com/preludeorg/operator-support/blob/master/docs/quickstart.md)
+
+## Demo
+TODO
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index 03d13c1..f19cc9c 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -77,7 +77,7 @@ nav:
- Functions Check: quickstart/functions-check.md
- Tool Usage:
- Overview: tool-usage/index.md
- - Caldera Usage: tool-usage/caldera-usage.md
+ - Operator Usage: tool-usage/operator-usage.md
# - Atomic Usage: tool-usage/atomicredteam.md
# - Hunting Handbook:
# - What is Threat Hunting?: handbook/what-is-threathunting.md