Chain

Executing an organized attack

A chain is an unordered collection of procedures files. Think of a chain in video game terms; it is
an empty profile or shell, and it gets more powerful as you add specific abilities to it.

Content

id

A unique identifier for that chain

metadata

This field contains information about the chain such as who created it, when it was released, etc.

variables

They are a list of parameters that are needed for the chain to run correctly. It could be a path to a file, an api key to authorize to a certain service, etc.

name

The display name of the chain.

description

A description of what that chain does and how it does it

ttps

A list of TTP used by the chain to accomplish its goal.

ordered

A boolean that indicates if the list of TTPS needs to be executed in order or not.

platforms

A list of platform on which the chain can be executed.

executors

A list of executor that can run that chain.

TTP Tuesday


Every Tuesday, Prelude security engineers release a new chain in an event called TTP Tuesday. These chains
typically align to threat intelligence and are loaded into Operator automatically for Professional license holders. You can view past chains on our chains website.

Build your own chain


You can build your own chains through the Launch Chain sidebar inside Operator. Design your chains on real-world threat actors (APT group) or detection rules you want to test. Alternatively, you can build chains manually by applying a chain property to any TTP YML file manually. Example below.

id: 4e707752-4abc-4799-9ff3-0caddc032bc2
metadata:
  license: community
  authors:
  - khyberspache
  tags: []
  chains:
  - My Custom Chain

...