This guide walks you through the process of installing and deploying the Chariot agent (Aegis), tailored for use in assumed breach and internal penetration testing scenarios.
Aegis is a standalone binary capable of operating on Windows, Linux and OSX hosts. It provides Praetorian with real-time visibility into the environment while maintaining minimal operational footprint.
This guide covers the prerequisites and installation steps for Windows, Linux and MacOS deployments.
The Aegis agent operates independently of local infrastructure, communicating directly with our secure cloud services through encrypted channels. No additional on-premise components are required.
Step 1: Prerequisites
Before starting, ensure the following:
-
Download Aegis Agent: Obtain the latest binary from the official Aegis agent from the Praetorian support team.
- Admin Rights: Ensure you have administrative privileges to install and configure Aegis on all target endpoints.
Anti-Virus / EDR Considerations
It's important to prevent anti-virus / EDR software from interfering with Aegis' operations. Some tools may be mistakenly flagged as malicious, causing false positives or execution failures. This section outlines the directories which should be whitelisted to ensure seamless operation, while maintaining the security posture of the endpoint.
Key Directories to Whitelist
Aegis Installation Directory
This is where the Aegis agent binary and core files reside. Whilelisting this directory prevents AV solutions from interfering with the agent's core operations
- Windows: c:\Program Files\Aegis
- Linux: /opt/Aegis
Temporary Staging Directory for Third-Party Tools
Aegis temporary stages third-party tools in this directory. AV software may flag these tools as suspicious, causing disruptions. Defining and whitelisting this directory ensures smooth execution
- Windows: c:\ProgramData\Aegis\tools
- Linux: /var/lib/Aegis/tools
Artifact Cache and Download Directory
This directory stores downloaded artifacts and cached data required by Aegis. AV solutions might flag cached binaries or artifacts as suspicious.
- Windows: c:\ProgramData\Velociraptor\cache
- Linux: /var/cache/Aegis
Logs and Execution Data Directory
AV interference with log files is rare, however aggressive monitoring tools may trigger alerts based on log content, especially when logs contain sensitive process execution data.
- Windows: c:\ProgramData\Aegis\logs
- Linux: /var/log/Aegis
Network Requirements / Firewall Rules
The Aegis agent requires outbound internet access to communicate with our infrastructure and integrated VPN connectivity.
The environment must allow endpoints to establish and maintain connections to the following services for Aegis to function correctly:
Hostname | Port | Protocol |
agent.chariot.praetorian.com | 443 | TCP |
controlplane.tailscale.com | 443 | TCP |
stunport.tailscale.com | 3478 | UDP |
*.derp.tailscale.com | 443 | TCP |
Step 2: Operating System Requirements
Microsoft Windows
Prerequisites
- Windows 8 / Windows Server 2012 or later
- The Aegis installer must be executed with local administrator privileges
- Minimum 8gb RAM
- 20GB free disk space
Installation
Windows MSI Install
To install the Window MSI from the command line (which requires elevated privileges) simply run:
msiexec /i aegis.msi
This will install the binary and client configuration file in the following directory:
C:\Program Files\Aegis\
It will also create a service named "aegis", and start it.
The Aegis service runs using the Local System account. Startup of the service is Automatic with a delayed start.
Windows MSI Uninstall
To remove Aegis from Windows, run the following command in an elevated command prompt:
msiexec /x aegis.msi
Alternatively, use Add or Remove Programs in Windows settings to uninstall Aegis.
macOS
Prerequisites
- macOS 11 (Big Sur) or later
- Administrator privileges
- Minimum 6GB RAM
- 20GB Disk Space
Installing via PKG
To install the Aegis agent on macOS using a PKG installer, follow these steps:
Download the PKG Installer
Obtain the latest aegis.pkg
package from the Praetorian support team.
Install the agent
Open a terminal and execute the following command with administrative privileges:
sudo installer -pkg aegis.pkg -target /
This command installs the Aegis agent into the /Applications/Aegis/
directory and configures it as a background service.
Verify Installation
After installation, confirm that the agent is running:
sudo launchctl list | grep aegis
You should see an entry for the Aegis service.
Start the Agent Manually (if needed)
If the agent does not start automatically, you can manually start it:
sudo launchctl load /Library/LaunchDaemons/com.praetorian.aegis.plist
sudo launchctl start com.praetorian.aegis
Uninstalling the Agent
If you need to remove Aegis, use the following command:
sudo pkgutil --forget com.praetorian.aegis
sudo rm -rf /Applications/Aegis/
sudo rm /Library/LaunchDaemons/com.praetorian.aegis.plist
Your Aegis agent is now installed and ready to use on macOS.
Linux
Prerequisites
- Supported distributions: Ubuntu 20.04+, RHEL 8+
- Root or sudo privileges
- Minimum 6GB RAM
- 20GB Disk Space
Download the Installation Package
Obtain the latest aegis.rpm
or aegis.deb package from the Praetorian support team.
RedHat Agent Installation
sudo rpm -i aegis_agent_amd64.rpm
Debian Agent Installation
sudo dpkg -i aegis_agent_amd64.deb
Verifying Installation
For systems using SysVinit, confirm that the agent is running:
systemctl status velociraptor_client
For systems using systemd, confirm that the agent is running:
systemd aegis_client status
Uninstalling the Linux Agent
For RedHat:
sudo rpm -e aegis_agent_amd64
For Debian:
sudo dpkg -r aegis_agent_amd64
Step 3: Deploy the Agent At Scale
Agent Deployment
At scale, we can automate deployment using Ansible, Group Policy, JAMF, SimpleMDM, or SCCM to distribute the agent. The method of deployment is customer technology dependent. Please work with Praetorian support on the deployment of Aegis.
Agentless Deployment
For scenarios where installing an agent is not feasible, Aegis supports an agentless mode that allows execution directly from a network share. This approach is useful when minimizing persistent software installations.
Setting Up Agentless Execution
-
Create a Network Share: Store the Aegis binary and configuration file in a shared directory, ensuring read-only permissions.
-
Configure Group Policy: Use the Group Policy Management Console to create a Scheduled Task that runs Aegis from the network share on domain-connected machines.
-
Execution and Cleanup: The agent runs to collect artifacts and then exits, leaving no persistent installation on the endpoint. It will need to be manually re-executed if needed again.
Your Aegis installation is now complete, and the agents are ready to support your internal penetration testing activities!
We hope this documentation has been helpful. If you find a topic that you would like discussed in detail, or need further assistance, please let us know at support@praetorian.com!
About Aegis Agent
The Aegis agent is built on the Velociraptor open source framework. As part of our commitment to security, Praetorian regularly conducts a comprehensive audit of the underlying codebase, including static code analysis, dynamic testing and security architecture review as well as a thorough dependency analysis and cryptographic validation.