Adversary Village

Stephan Wampouille

Software Engineer at Prelude Research

Stephan is a software engineer at Prelude Research, where he works on cutting-edge offensive security tools and tradecraft. He originally worked on the Operator C2 platform before moving on to build the library of TTPs hosted on Stephan is a veteran Defcon speaker, previously giving a talk on autonomous lateral movement, as applied to Linux servers, at Defcon 29.

Workshop: Building Adversary Chains Like an Operator
Hands-on Workshop

Every week, the Prelude security team builds attack chains that emulate the most notorious threat actors online. The attacks are released in an event called “TTP Tuesday” and each chain can be browsed on For those with an Operator license, the chains pop into the command-and-control (C2) application automatically. For the first time, the author of Operator - along with Prelude security engineers - will walk you through their process of building and releasing these chains. In this workshop, you will learn how to:

  • * Evaluate open-source threat intelligence and output it as an attack plan.
  • * Convert your plan into an actionable set of TTPs called a “chain”.
  • * Select hosts around your network to test your plan.
  • * Deploy agents on your selected hosts and execute your chain against them.
  • * Put your chains on repeat so they’re constantly at work in your environment.
  • * Package your results into a report that can measure your success.
You should expect to be hands-on, with a laptop running Operator. Expect to walk away from this workshop with both knowledge of how to build attack chains and a brand new, unreleased chain that will go out in a future TTP Tuesday event. Attackers use advanced tactics to infiltrate your network and run undetected. Learn how to emulate them so you can get ahead of their game. Proactive adversary emulation leads to better detection, which leads to faster response and a more robust grasp of your current risk profile.