Agent Installation and Deployment Guide Agent Installation and Deployment Guide

Agent Installation and Deployment Guide

This guide walks you through the process of installing and deploying the Chariot agent (Aegis), tailored for use in assumed breach and internal penetration testing scenarios. 

Aegis is a standalone binary capable of operating on Windows, Linux and OSX hosts. It provides Praetorian with real-time visibility into the environment while maintaining minimal operational footprint.

This guide covers the prerequisites and installation steps for Windows, Linux and MacOS deployments.

The Aegis agent operates independently of local infrastructure, communicating directly with our secure cloud services through encrypted channels. No additional on-premise components are required.


Step 1: Prerequisites

Before starting, ensure the following:

  • Download Aegis Agent: Obtain the latest binary from the official Aegis agent from the Praetorian support team.

  • Admin Rights: Ensure you have administrative privileges to install and configure Aegis on all target endpoints.

Anti-Virus / EDR Considerations

It's important to prevent anti-virus / EDR software from interfering with Aegis' operations. Some tools may be mistakenly flagged as malicious, causing false positives or execution failures. This section outlines the directories which should be whitelisted to ensure seamless operation, while maintaining the security posture of the endpoint.

Key Directories to Whitelist

Aegis Installation Directory

This is where the Aegis agent binary and core files reside. Whilelisting this directory prevents AV solutions from interfering with the agent's core operations

  • Windows: c:\Program Files\Aegis
  • Linux: /opt/Aegis

Temporary Staging Directory for Third-Party Tools

Aegis temporary stages third-party tools in this directory. AV software may flag these tools as suspicious, causing disruptions. Defining and whitelisting this directory ensures smooth execution

  • Windows: c:\ProgramData\Aegis\tools
  • Linux: /var/lib/Aegis/tools

Artifact Cache and Download Directory

This directory stores downloaded artifacts and cached data required by Aegis. AV solutions might flag cached binaries or artifacts as suspicious.

  • Windows: c:\ProgramData\Velociraptor\cache
  • Linux: /var/cache/Aegis

Logs and Execution Data Directory

AV interference with log files is rare, however aggressive monitoring tools may trigger alerts based on log content, especially when logs contain sensitive process execution data.

  • Windows: c:\ProgramData\Aegis\logs
  • Linux: /var/log/Aegis

Network Requirements / Firewall Rules

The Aegis agent requires outbound internet access to communicate with our infrastructure and integrated VPN connectivity. 

The environment must allow endpoints to establish and maintain connections to the following services for Aegis to function correctly:

Hostname Port Protocol
agent.chariot.praetorian.com 443 TCP
controlplane.tailscale.com 443 TCP
stunport.tailscale.com 3478 UDP
*.derp.tailscale.com 443 TCP




Step 2: Operating System Requirements

 

Microsoft Windows

Prerequisites

  • Windows 8 / Windows Server 2012 or later
  • The Aegis installer must be executed with local administrator privileges
  • Minimum 8gb RAM
  • 20GB free disk space

Installation

Windows MSI Install

To install the Window MSI from the command line (which requires elevated privileges) simply run:

msiexec /i aegis.msi

This will install the binary and client configuration file in the following directory:

C:\Program Files\Aegis\

It will also create a service named "aegis", and start it.

The Aegis service runs using the Local System account. Startup of the service is Automatic with a delayed start.

Windows MSI Uninstall

To remove Aegis from Windows, run the following command in an elevated command prompt:

msiexec /x aegis.msi

Alternatively, use Add or Remove Programs in Windows settings to uninstall Aegis.

 

macOS

Prerequisites

  • macOS 11 (Big Sur) or later
  • Administrator privileges
  • Minimum 6GB RAM
  • 20GB Disk Space

Installing via PKG

To install the Aegis agent on macOS using a PKG installer, follow these steps:

Download the PKG Installer
Obtain the latest aegis.pkg package from the Praetorian support team.

Install the agent
Open a terminal and execute the following command with administrative privileges:

sudo installer -pkg aegis.pkg -target /

This command installs the Aegis agent into the /Applications/Aegis/ directory and configures it as a background service.

Verify Installation
After installation, confirm that the agent is running:

sudo launchctl list | grep aegis

You should see an entry for the Aegis service.

Start the Agent Manually (if needed)
If the agent does not start automatically, you can manually start it:

sudo launchctl load /Library/LaunchDaemons/com.praetorian.aegis.plist
sudo launchctl start com.praetorian.aegis

Uninstalling the Agent
If you need to remove Aegis, use the following command:

sudo pkgutil --forget com.praetorian.aegis
sudo rm -rf /Applications/Aegis/
sudo rm /Library/LaunchDaemons/com.praetorian.aegis.plist

Your Aegis agent is now installed and ready to use on macOS.

 

Linux

Prerequisites

  • Supported distributions: Ubuntu 20.04+, RHEL 8+
  • Root or sudo privileges
  • Minimum 6GB RAM
  • 20GB Disk Space

Download the Installation Package
Obtain the latest aegis.rpm or aegis.deb package from the Praetorian support team.

RedHat Agent Installation

sudo rpm -i aegis_agent_amd64.rpm

Debian Agent Installation

sudo dpkg -i aegis_agent_amd64.deb

Verifying Installation
For systems using SysVinit, confirm that the agent is running:

systemctl status velociraptor_client

For systems using systemd, confirm that the agent is running:

 systemd aegis_client status

Uninstalling the Linux Agent

For RedHat:

sudo rpm -e aegis_agent_amd64

For Debian:

sudo dpkg -r aegis_agent_amd64

 


Step 3: Deploy the Agent At Scale

Agent Deployment

At scale, we can automate deployment using Ansible, Group Policy, JAMF, SimpleMDM, or SCCM to distribute the agent. The method of deployment is customer technology dependent. Please work with Praetorian support on the deployment of Aegis.

 

Agentless Deployment

For scenarios where installing an agent is not feasible, Aegis supports an agentless mode that allows execution directly from a network share. This approach is useful when minimizing persistent software installations.

Setting Up Agentless Execution

  1. Create a Network Share: Store the Aegis binary and configuration file in a shared directory, ensuring read-only permissions.

  2. Configure Group Policy: Use the Group Policy Management Console to create a Scheduled Task that runs Aegis from the network share on domain-connected machines.

  3. Execution and Cleanup: The agent runs to collect artifacts and then exits, leaving no persistent installation on the endpoint. It will need to be manually re-executed if needed again.


Your Aegis installation is now complete, and the agents are ready to support your internal penetration testing activities!

We hope this documentation has been helpful. If you find a topic that you would like discussed in detail, or need further assistance, please let us know at support@praetorian.com!

 

About Aegis Agent

The Aegis agent is built on the Velociraptor open source framework. As part of our commitment to security, Praetorian regularly conducts a comprehensive audit of the underlying codebase, including  static code analysis, dynamic testing and security architecture review as well as a thorough dependency analysis and cryptographic validation.