This guide walks you through the process of installing and deploying the Chariot agent (Aegis), tailored for use in assumed breach and internal penetration testing scenarios.
Aegis is a standalone binary capable of operating on Windows, Linux and OSX hosts. It provides Praetorian with real-time visibility into the environment while maintaining minimal operational footprint.
This guide covers the prerequisites and installation steps for Windows, Linux and MacOS deployments.
The Aegis agent operates independently of local infrastructure, communicating directly with our secure cloud services through encrypted channels. No additional on-premise components are required.
Step 1: Prerequisites
Before starting, ensure the following:
-
Download Aegis Agent: Obtain the latest binary from the official Aegis agent from the Praetorian support team.
- Admin Rights: Ensure you have administrative privileges to install and configure Aegis on all target endpoints.
- Hardware Virtualisation SupportThe agent should be installed on a system that supports hardware virtualization. This can be enabled via BIOS settings or within a virtualization platform such as vSphere. While Aegis will function without this, enabling hardware virtualization allows for enhanced capabilities and improved performance.
-
Note for VMware Environments:
If the Aegis agent is deployed within a virtual machine hosted on VMware platforms such as ESXi or vSphere, ensure that port security features are disabled or appropriately configured on the virtual switch.
- Enable Promiscuous Mode: Enable Promiscuous Mode on the virtual switch (vSwitch) port group that the parent ESXi VM (your Host Virtual Machine) is connected to on the physical ESXi host. This allows the physical vSwitch to see traffic from the MAC address of any nested VMs introduced by Aegis.
- Enable Forged Transmits: You also need to enable Forged Transmits on the same virtual switch port group on the physical ESXi host. This allows traffic originating from the nested Virtual Machines (which have different MAC addresses to that of the parent Virtual Machine) to leave the physical vSwitch.
- Alternatively, Enable MAC Learning: If your physical ESXi host is running vSphere 7.0 or later, you can enable MAC Learning on the relevant port group instead of enabling both Promiscuous Mode and Forged Transmits. MAC Learning allows the vSwitch to learn and permit traffic from the specific MAC address of any of the nested Virtual Machines introduced to the system by Aegis, without the broader allowances of promiscuous mode.
Anti-Virus / EDR Considerations
It's important to prevent anti-virus / EDR software from interfering with Aegis' operations. Some tools may be mistakenly flagged as malicious, causing false positives or execution failures. This section outlines the directories which should be whitelisted to ensure seamless operation, while maintaining the security posture of the endpoint.
Key Directories to Whitelist
Aegis Installation Directory
This is where the Aegis agent binary and core files reside. Whitelisting this directory prevents AV solutions from interfering with the agent's core operations
- Windows: c:\Program Files\Praetorian Aegis
- Linux: /opt/Aegis
Temporary Staging Directory for Third-Party Tools
Aegis temporary stages third-party tools in this directory. AV software may flag these tools as suspicious, causing disruptions. Defining and whitelisting this directory ensures smooth execution
- Windows: c:\ProgramData\Praetorian Aegis\tools
- Linux: /var/lib/Aegis/tools
Artifact Cache and Download Directory
This directory stores downloaded artifacts and cached data required by Aegis. AV solutions might flag cached binaries or artifacts as suspicious.
- Windows: c:\ProgramData\Praetorian Aegis\cache
- Linux: /var/cache/Aegis
Logs and Execution Data Directory
AV interference with log files is rare, however aggressive monitoring tools may trigger alerts based on log content, especially when logs contain sensitive process execution data.
- Windows: c:\ProgramData\Praetorian Aegis\logs
- Linux: /var/log/Aegis
Network Requirements / Firewall Rules
The Aegis agent requires outbound internet access to communicate with our infrastructure and integrated VPN connectivity.
The environment must allow endpoints to establish and maintain connections to the following services for Aegis to function correctly:
| Hostname | Port | Protocol |
| agent.chariot.praetorian.com | 443 | TCP |
| controlplane.tailscale.com | 443 | TCP |
| stunport.tailscale.com | 3478 | UDP |
| *.derp.tailscale.com | 443 | TCP |
Step 2: Operating System Requirements
Microsoft Windows
Prerequisites
- Windows 8 / Windows Server 2012 or later
- The Aegis installer must be executed with local administrator privileges
- Minimum 16gb RAM
- 150GB free disk space
- Domain Joined System
Installation
Windows MSI Install
To install the Window MSI from the command line (which requires elevated privileges) simply run:
msiexec /i praetorian_aegis.msi
This will install the binary and client configuration file in the following directory:
C:\Program Files\Praetorian Aegis\
It will also create a service named "Praetorian Aegis Service", and start it.
The Aegis service runs using the Local System account. Startup of the service is Automatic with a delayed start.
Windows MSI Uninstall
To remove Aegis from Windows, run the following command in an elevated command prompt:
msiexec /x praetorian_aegis.msiAlternatively, use Add or Remove Programs in Windows settings to uninstall Aegis.
macOS
Prerequisites
- macOS 11 (Big Sur) or later
- Administrator privileges
- Minimum 6GB RAM
- 20GB Disk Space
Installing via PKG
To install the Aegis agent on macOS using a PKG installer, follow these steps:
Download the PKG Installer
Obtain the latest aegis.pkg package from the Praetorian support team.
Install the agent
Open a terminal and execute the following command with administrative privileges:
sudo installer -pkg praetorian_aegis.pkg -target /
This command installs the Aegis agent into the /Applications/Aegis/ directory and configures it as a background service.
Verify Installation
After installation, confirm that the agent is running:
sudo launchctl list | grep praetorian
You should see an entry for the Aegis service.
Start the Agent Manually (if needed)
If the agent does not start automatically, you can manually start it:
sudo launchctl load /Library/LaunchDaemons/com.praetorian.chariot.agent.plist
sudo launchctl start com.praetorian.chariot.agent
Your Aegis agent is now installed and ready to use on macOS.
Uninstalling the Agent
If you need to remove Aegis, use the following command:
sudo pkgutil --forget com.praetorian.chariot.agent
sudo rm -rf /usr/local/bin/PraetorianAegis
sudo rm /Library/LaunchDaemons/com.praetorian.chariot.agent.plistLinux
Prerequisites
- Supported distributions: Ubuntu 20.04+, RHEL 8+
- Root or sudo privileges
- Minimum 6GB RAM
- 20GB Disk Space
Download the Installation Package
Obtain the latest aegis.rpm or aegis.deb package from the Praetorian support team.
RedHat Agent Installation
sudo rpm -i aegis_agent_amd64.rpm
Debian Agent Installation
sudo dpkg -i aegis_agent_amd64.deb
Verifying Installation
For systems using SysVinit, confirm that the agent is running:
systemctl status velociraptor_client
For systems using systemd, confirm that the agent is running:
systemd aegis_client status
Uninstalling the Linux Agent
For RedHat:
sudo rpm -e aegis_agent_amd64For Debian:
sudo dpkg -r aegis_agent_amd64
Step 3: Deploy the Agent At Scale
Agent Deployment
At scale, we can automate deployment using Ansible, Group Policy, JAMF, SimpleMDM, or SCCM to distribute the agent. The method of deployment is customer technology dependent. Please work with Praetorian support on the deployment of Aegis.
Agentless Deployment
For scenarios where installing an agent is not feasible, Aegis supports an agentless mode that allows execution directly from a network share. This approach is useful when minimizing persistent software installations.
Setting Up Agentless Execution
-
Create a Network Share: Store the Aegis binary and configuration file in a shared directory, ensuring read-only permissions.
-
Configure Group Policy: Use the Group Policy Management Console to create a Scheduled Task that runs Aegis from the network share on domain-connected machines.
-
Execution and Cleanup: The agent runs to collect artifacts and then exits, leaving no persistent installation on the endpoint. It will need to be manually re-executed if needed again.
Your Aegis installation is now complete, and the agents are ready to support your internal penetration testing activities!
We hope this documentation has been helpful. If you find a topic that you would like discussed in detail, or need further assistance, please let us know at support@praetorian.com!
About Aegis Agent
The Aegis agent is built on the Velociraptor open source framework. As part of our commitment to security, Praetorian regularly conducts a comprehensive audit of the underlying codebase, including static code analysis, dynamic testing and security architecture review as well as a thorough dependency analysis and cryptographic validation.