-
Notifications
You must be signed in to change notification settings - Fork 358
Prelude Operator
Prelude Operator can be automatically configured and deployed with a Splunk Attack Range allowing a user to easily launch attacks via Operator on a running range using the pre-installed Penuma agents. To get started with Prelude follow these simple steps:
- Install Prelude Operator on your local machine
- Configure an attack range with Prelude (configure the accountEmail setting)
- Build an attack range
- Add a manual new redirector to Prelude Operator
For an overview on how Prelude works inside the attack range see the general architecture below:
- A Headless Operator/Redirector is installed on the Splunk server, this means a user needs:
- Operator installed in their local machine (can be downloaded here) to connect and manage it, see screenshot below.
- Or talk through it via the API on TCP port
- Pneuma is installed and supported on the Windows (server and domain controller) and Linux machines ONLY today
- Pneuma connects back to the Headless Operator/Redirector via TCP port 2323
When an Splunk Attack Range is configured it will need to know the auto generated accountEmail
to connect to. This can be obtained via the Prelude Operator client via clicking on Connect -> Deploy Manual Redirectors, see screenshot below for an example.
Once an Attack Range has successfully been built with Prelude Operator the show
command will include a token and FQDN like below:
Access Prelude Operator UI via:
redirector FQDN > 18.225.27.90
Token: fbe9254b-5fb8-44d2-a02c-31e0a10f62c9
This should then be inserted in the Deploy Manual Redirectors form on the locally installed Operator, click on Add
to be able to attack these hosts via Operator. If all worked well you should end up with a list of hosts and a purple "Your are connected" message above available like the screenshot below.