Guides

Ephemeral Probes

Ephemeral probes are lightweight processes with the smallest footprint possible. They are designed to run without dependencies on any modern version of Windows, Linux or MacOS and do not persist across reboots.

Suggest Edits

Generating a Token

Before running the platform specific commands listed below, you'll need to generate a Probe token using the Prelude CLI. (The registration and install string generated via the web UI cannot be used; it's a reusable string and not a host-specific Probe token.)

If you created your account using the web UI, export your credentials (user menu > My profile > Export Credentials) and save the keychain.ini file to ~/.prelude/ so that when you run the Prelude CLI to generate the Probe token, the token will be linked to the account in use via the web UI.

Use the "prelude detect create-endpoint" command to generate a unique token for each instance of the ephemeral probe you intend to run. SERIAL_NUM is intended to be a serial number but can be any unique string associated with the target machine.

Example

prelude detect create-endpoint -h %HOSTNAME% -s %SERIAL_NUM% -t "Tag1,Tag2"

Available parameters for the create endpoint function

Options:
  -h, --host TEXT        hostname of this machine  [required]
  -s, --serial_num TEXT  serial number of this machine  [required]
  -t, --tags TEXT        a comma-separated list of tags for this endpoint
  --help                 Show this message and exit.

Windows

Open-source Raindrop

Run the following commands in Powershell as Administrator. Replace with the token value you generated via the Prelude CLI as mentioned above. These commands will: download the script, set the PRELUDE_TOKEN environment variable, and start the script:

Invoke-WebRequest -UseBasicParsing -URI "https://api.preludesecurity.com/download/raindrop" -Headers @{"dos"="windows-x86_64"} -OutFile probe.ps1
SETX PRELUDE_TOKEN <TOKEN> /M
.\probe.ps1

MacOS

Open-source Nocturnal

To download the ephemeral probe and run it (replace with the token created in "Generating a Token" section on this page:

curl -sL "https://api.preludesecurity.com/download/nocturnal" -H "dos:darwin-arm64" > probe
export PRELUDE_TOKEN=<TOKEN>
chmod +x probe
./probe

Linux

Open-source Nocturnal

To download the ephemeral probe and run it (replace with the token created in "Generating a Token" section on this page:

curl -sL "https://api.preludesecurity.com/download/nocturnal" -H "dos:darwin-arm64" > probe
export PRELUDE_TOKEN=<TOKEN>
chmod +x probe
./probe

Updated 8 months ago