Initial docs update

docs/about/machine-details.md

@@ -1,14 +1,14 @@
 # Node Details
 This section provices details on each node and what surface area is available. So just what is going on on each virtual machine?
 
-## Elastomic
-The "`elastomic`" node is the first and only _required_ node, and is the crux of the entire project. It's essentially a "Purple Teaming" control box that is used to **both** _execute attacks and capture logs of those attacks_.
+## Elastic
+The "`elastic`" node is the first and only _required_ node, and is the crux of the entire project. It's essentially a SIEM that is used to capture logs of attacks carried out by the red box `redops`.
 
 #### Features
 
 * Elasticsearch
 * Kibana
-* Atomic Redteam UI
+* Prelude Operator UI
 * Powershell
 
 #### Enabled Services
@@ -60,4 +60,19 @@ The intent of the `ts.centos7` box is emulate hosting the typical services hoste
 * Rsyslog
 * Samba
 
+## Redops
+
+The intent of the redops box is a Red Team box that is used to execute attacks against the victim machines.
+
+#### Features
+
+* Built from Debian 11 ISO
+* One user `vagrant`
+* All updates applied during build process
+* Includes VM guest additions
+
+#### Enabled Services
+
+* Prelude Operator
+
 > More details on the usage of each tool can be found in the [Tool Usage Section](https://docs.thremulation.io/tool-usage/).

docs/about/overview.md

@@ -1,5 +1,5 @@
 # Overview
-
+(Image below needs updated)
 <br>
 <p align="center">
 <img src="/images/ts-topology2.png">
@@ -25,17 +25,18 @@ This project has many practical use cases, and we're excited to see how it's use
 ## Workflow
 
 Let's look at an overview of the mini-range and demonstrate a basic exercise workflow.
+(Image below needs updated)
 
 <br>
 <br>
 <p align="center">
 <img src="/images/ts-workflow2.png">
 </p>
 
-1. Access the `ts.elastomic` control box interfaces
+1. Access the `ts.elastic` control box interfaces
 1. Choose your target host (currently windows10 or centos)
 2. Launch either a prebuilt threat tactic / technique or your own custom
-3. Victim machines report back to `ts.elastomic` where artificacts can be observed
+3. Victim machines report back to `ts.elastic` where artificacts can be observed
 
 <br>
 

docs/about/requirements.md

@@ -15,15 +15,18 @@ Bottom line: this project should provide a usable range on a _relatively modern_
 
 The listing of resources allocated to each virtual machine are listed below (note that virtual cpus == threads):
 
-- Elastomic:
+- Elastic:
     - virtual memory = `4G`
     - virtual cpus = `2`
-- Elastomic:
+- Windows:
     - virtual memory = `2G`
     - virtual cpus = `2`
-- Elastomic:
+- Centos7:
     - virtual memory = `1G`
     - virtual cpus = `1`
+- Redops
+    - virtual memory = `2G`
+    - virtual cpus = `2G`
 
  These values are certainly tunable, but this is a good starting point. All details can be found in the [Vagrantfile](https://github.com/thremulation-station/thremulation-station/blob/devel/vagrant/Vagrantfile).
 

docs/community.md

@@ -1,10 +1,10 @@
 # Community
 
 ## Discord
-There are several ways to connect with the project community whether that's for support, contributing content, or just learning from other infosec nerds. The primary method should be [Discord](https://discord.gg/mtNXN4QjHh)!
+There are several ways to connect with the project community whether that's for support, contributing content, or just learning from other infosec nerds. The primary method should be [Slack](https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw)!
 
 !!! info "Info"
-    Discord server invite URL [https://discord.gg/mtNXN4QjHh](https://discord.gg/mtNXN4QjHh)
+    Slack invite URL [https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw](https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw)
 
 
 ## Getting Connected

docs/contribution.md

@@ -17,7 +17,7 @@ Please create an Issue the proper repository:
 
 ### Community
 
-Please join the [Discord](https://discord.gg/fdNjAbHyHz).
+Please join the [Slack](https://join.slack.com/t/thremulation-station/shared_invite/zt-urwtghsh-GyJp8ENYQgtDQAP0JhcbRw).
 
 ### Email
 

docs/index.md

@@ -23,7 +23,7 @@
 
 <hr />
 <br>
-Thremulation Station is an approachable small-scale threat emulation and detection range. It leans on Atomic Red Team for ***emulating*** threats, and the Elastic Endpoint Agent for ***detection***.
+Thremulation Station is an approachable small-scale threat emulation and detection range. It leans on Prelude Operator for ***emulating*** threats, and the Elastic Endpoint Agent for ***detection***.
 
 !!! info "TL;DR"
     If you're ready to skip the reading and jump into things, head to the [Quickstart / Installation](https://docs.thremulation.io/quickstart/installation/) section.
@@ -35,8 +35,7 @@ There are a lot of tools and moving pieces, but the main building blocks are:
 - Elasticsearch
 - Kibana
 - Elastic Endpoint Agent
-- Atomic Red Team
-- Caldera
+- Prelude Operator
 
 
 ## Project Goals

docs/quickstart/deployment.md

@@ -18,7 +18,7 @@ Thremulation Station comes with a terminal control interface called `stationctl`
 - check the status of a current range
 - management tasks on a current range
     - reloading / rebuilding boxes
-    - data reset (clearing indexes)
+    - data reset (clearing indexes, clearing alerts/signals)
     - various troubleshooting steps
 
 <br>
@@ -58,7 +58,7 @@ A "deployment" consists of selecting the nodes (VMs) you want, downloading them,
 
 #### Quick Deployment
 
-A Quick Deployment is the first and fastest option. It enables all VMs included in the range, meaning the control machine, a Windows10 workstation, and a Linux server.
+A Quick Deployment is the first and fastest option. It enables all VMs included in the range, meaning the attack machine, the data collector/SIEM, a Windows10 workstation, and a Linux server.
 
 <br>
 <p align="center">
@@ -85,7 +85,7 @@ A Quick Deployment is the first and fastest option. It enables all VMs included
 <br>
 #### Custom Deployment
 
-A custom deployment works generally the same way as quick one, but provides you the option to choose what target VMs to deploy alongside the control (ts.elastomic) box. 
+A custom deployment works generally the same way as quick one, but provides you the option to choose what target VMs to deploy alongside the data collector, (ts.elastic) box. 
 
 ##### Example:
 A great usecase for this would be if you're _very_ limited on hardware resources, and you only intend on emulating and detecting threats against a linux server. You have the flexibility to say (N)o to Windows and (Y)es to Linux, which would look like so:

docs/quickstart/functions-check.md

@@ -12,40 +12,86 @@ Now that all VMs are up and running, let's validate that everything is working a
 
 This functions check will demonstrate a general workflow using some of the major tools available, as well as validate that all nodes are communicating corectly.
 
-1. From your terminal run $ `vagrant ssh ts.elastomic` to establish as shell session on the combo logger / attacker box. Your prompt will update to indicate you're connected to the elastomic box.
+1. From your terminal run $ `vagrant rdp ts.redops` to establish an RDP session on the attacker box. Your prompt will update to indicate you're connected to the redops box.
 
-1. Then, enter `pwsh` to drop into a Powershell session. Now it is time to choose what test or attack you would like to run against the remote Windows 10 box. You'll see your prompt change to `PS /home/vagrant> `.
+2. Then run `./Operator.appimage` on the Desktop or run `~/Desktop/Operator.appimage` and accept the TOS. Operator can be used with a paid Pro/Enterprise account but by default will be set up with a Community account. 
 
-1. You can browse the available tests by referencing the [Atomic Redteam Docs](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-Markdown/windows-index.md).
+3. You can browse the available Community tests/TTPs as well as everything available to the community by referencing the Community repo here:  [Prelude Community TTPs](https://github.com/preludeorg/community/tree/master/ttps) You can also reference additional TTPs that be added such as Atomic Red Team at [Atomic Redteam Docs](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-Markdown/windows-index.md).
 
-1. For this demonstration we will conduct a simple example technique and test. It will use Powershell to download [Mimikatz](https://github.com/gentilkiwi/mimikatz) and then dump credentials on the system. More info about this specific technique and test can be found here:  [T1059.001 TestNumber 1](https://attack.mitre.org/techniques/T1059/001/)
+4. For this demonstration we will conduct a simple example technique and test. It will use Powershell to download [Mimikatz](https://github.com/gentilkiwi/mimikatz) and then dump credentials on the system. More info about this specific technique and test can be found here:  [T1059.001 TestNumber 1](https://attack.mitre.org/techniques/T1059/001/)
 
-1. Before we can run this test ___against the Windows 10 box___ we first need to setup a Powershell Session over SSH to the Windows 10 box.
+1. Before we can run this test ___against the Windows 10 box___ we first need to RDP into the Windows box and start the Pneuma Agent for Operator. We can use `vagrant rdp ts.windows10` or manually RDP in. 
+
+    !!! info "Info"
+    We could have the agent start when the lab is brought up by changing the last line in `download-pneuma-agent.ps1`. But by default, the agent is not running. If it starts by default, Establishing an RDP session or creating a new PSSession in Powershell will work. Details for each below.
+
+### RDP
+
+1. RDP into `ts.windows10` with `vagrant rdp ts.windows10`. 
+2. Navigate to `C:\Pneuma` and double-click `start-pneuma.ps1`
+
+### PSSession (agent started)
+If you want to use PSSession and the agent is enabled, on either `ts.elastic` or `ts.centos`, follow the instructions below. 
 
 1. Create a necessary variable by running the below command. Enter "yes" and the password `vagrant` if prompted:
 
     ```powershell
-    $sess = New-PSSession -Hostname 192.168.33.11 -Username vagrant
+    $sess = New-PSSession -Hostname 192.168.56.11 -Username vagrant
     ```
 
     !!! info "Info"
         What does this do? We are creating a variable called `$sess` and setting it's value to our new session we just created using the [New-PSSession](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.1) Powershell cmdlet.
 
-1. Take a moment to look at the syntax we're going to use to launch our "attack" against the remmote target (`ts.windows10`):
+### PSSession (agent not started)
+If you want to use PSSession and the agent is not enabled, on either `ts.elastic` or `ts.centos`, follow these instructions instead.
+
+1. Create a necessary variable by running the below command. Enter "yes" and the password `vagrant` if prompted:
 
     ```powershell
-    Invoke-AtomicTest     # Run Atomic Test
-    T1059.001             # Technique ID
-    -TestNumbers 1        # TestNumber
-    -Session $sess        # Connect using our session variable
+    $sess = New-PSSession -Hostname 192.168.56.11 -Username vagrant
     ```
 
-1. Run the following command to kick things off:
+2. Take a moment to look at the syntax we're going to use to start our session with the remmote target (`ts.windows10`):
 
     ```powershell
-    Invoke-AtomicTest T1059.001 -TestNumbers 1 -Session $sess
+    Invoke-Command     # Invoke cmdlet to start some binary/script
+    -FilePath          # Define where the script lives
+    -Session $sess     # Connect using our session variable
     ```
 
+3. Run the following command to kick things off:
+
+    ```powershell
+    Invoke-Command -FilePath C:\Pneuma\start-pneuma.ps1 -Session $sess
+    ```
+
+### Operator
+
+We should see our `ts.windows10` victim show up in our `thremulation range` in Operator. From here we can execute a TTP easily. 
+
+1. Navigate to Editor and search for `PowerSploit Invoke-Mimikatz`
+2. Click `Deploy`
+
+
+
+<br>
+<p align="center">
+<img src="../../images/operator-mimi.png">
+</p>
+<br>
+
+3. Once you click `Deploy` you should see the following: 
+
+<br>
+<p align="center">
+<img src="../../images/threm-operator-range.png">
+</p>
+<br>
+
+Click `Deploy` once more!
+
+### Kibana
+
 1. Once this is finished, go back to the Discover tab in Kibana: `http://localhost:5601/app/discover#/`
 
 1. In the search bar type "`mimikatz`" and hit Enter. You should see results filtered to show the events matching the Mimikatz attack you just executed.
@@ -69,19 +115,10 @@ Clean logs -- clean mind right? While the data in Kibana is separated by the fac
 !!! info "Info"
     The term "target systems" refers to the `ts.windows10` and `ts.centos7` boxes.
 
-Most of (if not all) Atomic Red Team tests come with a cleanup command to clear your target system before executing another test.
-
-1. In order to cleanup our Mimikatz test we can run the same command we used to execute it this time with a `-Cleanup` option at the end.
-
-1. Run the following command to clean house:
-
-    ```powershell
-    Invoke-AtomicTest T1059.001 -TestNumbers 1 -Session $sess -Cleanup
-    ```
 
 #### Attacker / Logger System
 
-The "control" node that is used to perform all attacking and logging operations is the `ts.elatomic` box. We can use the `stationctl` CLI to perform a data reset. This will clear all existing Elasticsearch index data to wipe the slate clean. Station control should be executed from the vagrant/ folder, so ***ensure*** that you're in the right folder: `<THIS-PROJECT-REPO>/vagrant/`.
+The "control" node that is used for logging operations is the `ts.elastic` box. We can use the `stationctl` CLI to perform a data reset. This will clear all existing Elasticsearch index data to wipe the slate clean. Station control should be executed from the vagrant/ folder, so ***ensure*** that you're in the right folder: `<THIS-PROJECT-REPO>/vagrant/`.
 
 1. You can perform a "Clear Data" operation with the following commands:
 

docs/quickstart/initial-access.md

@@ -31,18 +31,20 @@ This provides some very valuable information on the status of our local range:
 
 The environment is designed for users to interact with 2 primary interfaces:
 
-- Atomic Redteam - **execute** threats
+- Prelude Operator - **execute** threats
 - Kibana WebUI - **detect** threats
 
 
-### Atomic Red Team
+### Prelude Operator
 
-This adversary emulation toolset is accessed by ssh'ing into the `ts.elastomic` box and starting up a powershell session.
+This adversary emulation toolset is accessed by rdp'ing into the `ts.redops` box and starting up `Operator.appimage` on the Desktop.
 
 1. From the vagrant/ directory:
-    - $ `vagrant ssh ts.elastomic`
-1. Start a powershell session:
-    - $ `pwsh`
+    - $ `vagrant rdp ts.redops`
+1. Start Operator:
+    - $ `cd ~/Desktop` 
+    - $ `./Operator.appimage`
+    - Click `Operator.appimage` and accept the TOS
 
 
 ### Kibana Web Interface

docs/quickstart/installation.md

@@ -19,6 +19,8 @@ Let's kick the process off by installing the required software for your host pla
 
 <br>
 
+**NOTE: The deployment may or may not work with macOS due to various issues with the ecosystem. Docs will be updated once we feel like it is reliable again. If you are feeling adventerous, try the below steps!**
+
 === "macOS"
 
       We have used macOS for the lion's share of the development and testing of the project (and currently provides the most validated experience).

docs/support/stationctl.md

@@ -63,6 +63,7 @@ This menu will see some heavy use, and it's broken down into 2 sections:
 ### Data Reset and Troubleshooting
 
 6. Clear Data - _delete data in all indexes_
-7. Soft Reset - _revert to original snapshots_
-8. Hard Reset - _destroy all vms_
-9. Nuke and Pave - _destroy all vms and boxes_
+7. Clear Alerts - _delete all open signals in the siem index_
+8. Soft Reset - _revert to original snapshots_
+9. Hard Reset - _destroy all vms_
+10. Nuke and Pave - _destroy all vms and boxes_