Prelude chain browser

Every week, the Prelude team designs, builds and chains together TTPs. These chains, which mimic real-world cyberattacks, can be safely used to test your internal defenses. These chains are all usable in Prelude Operator.

Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact

Themes

Tags

Licenses

Operation Ghost

2022-03-15

/static/assets/linux-logo.svg
Emulating APT 29 malware loader via steganography.
Dirty Pipe CVE-2022-0847

2022-03-14

/static/assets/linux-logo.svg
Allows an attacker to modify arbitrary read-only files.
PolarCalm

2022-03-08

/static/assets/apple-logo.svg/static/assets/linux-logo.svg/static/assets/windows-logo.svg
Emulating Cozy Bear's (APT29) supply chain attack.
Sliver BOF and Execute-Assembly

2022-03-01

/static/assets/windows-logo.svg
Add a COFF loader, run BOFs and execute-assembly ttps.
APT29 Democratic National Committee

2022-03-01

/static/assets/windows-logo.svg
Emulating Cozy Bear's 2016 Democratic National Committee hack.
Conti Deploy Ransomware

2022-02-14

/static/assets/windows-logo.svg
Deploy Conti ransomware to encrypt host files.
Conti Collect and Exfiltrate

2022-02-08

/static/assets/windows-logo.svg
Automatically collect information and exfiltrate with rclone to a cloud service.
Conti Move To Remote System

2022-02-01

/static/assets/windows-logo.svg
Perform lateral movement of Jambi agent to discovered AD targets
LPE in polkit (CVE-2021-4034)

2022-01-26

/static/assets/linux-logo.svg
An LPE in polkit's pkexec affecting all major distros since May 2009.
Conti Privilege Escalation and Persistence

2022-01-25

/static/assets/windows-logo.svg
Use PrintNightmare & ZeroLogon exploits to gain privileges and extract the krbtgt NTLM hash from a DC.
Conti Local and Remote Discovery

2022-01-18

/static/assets/windows-logo.svg
Using the Jambi agent from the initial access chain, discover local services, active directory objects, and check the box for PrintNightmare.
Log4j Infrastructure

2022-01-13

/static/assets/linux-logo.svg
Stand up infrastructure to exploit CVE-2021-44228.
Conti Recon And Initial Access

2022-01-10

/static/assets/windows-logo.svg
Perform recon and initial access of target environment
CSwipe

2022-01-04

/static/assets/linux-logo.svg
Deploy a custom payload to achieve ransomware without using traditional encryption.
S(C)wipe

2021-12-28

/static/assets/apple-logo.svg
Deploy a custom payload to achieve ransomware without using traditional encryption.
Windows LotL Ransomware

2021-12-21

/static/assets/windows-logo.svg
Deploy a Windows live-off-the-land ransomware attack.
Linux LotL Ransomware

2021-12-14

/static/assets/linux-logo.svg
Deploy a linux live-off-the-land ransomware attack.
Android ADB Shell

2021-12-07

/static/assets/android-logo.svg
A first collection of TTPs for Android specifically targeting ADB shell commands
Staging Server (Server-side)

2021-11-30

/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Deploy capabilities to a staging server and establish a reverse proxy.
Jambi Modules

2021-11-16

/static/assets/windows-logo.svg
Use Powershell functions to create a script implant that dynamically resolves and loads modules at runtime.
eBPF CVE-2021-3490

2021-11-09

/static/assets/linux-logo.svg
Elevate an unprivileged user to root privileges via CVE-2021-3490 (eBPF) exploitation.
Sequoia

2021-10-26

/static/assets/linux-logo.svg
Elevate an unprivileged user to root privileges via CVE-2021-33909 (Sequoia) exploitation.
Vulnerable Certificates

2021-10-19

/static/assets/windows-logo.svg
Ingress, load, and run Certify to find vulnerable certificates.
B1-66ER (Discovery)

2021-10-12

/static/assets/linux-logo.svg
Perform discovery techniques to determine if an agent has access to a ML/DL environment.
JXA Modules

2021-10-05

/static/assets/apple-logo.svg
Use JXA to create a fully modular file-less implant that dynamically resolves and load modules at runtime.
B1-66ER (Initial Access)

2021-09-28

/static/assets/linux-logo.svg
Gain initial access by installing SciPy with concealed Schism agent
Conti (Discovery)

2021-09-21

/static/assets/windows-logo.svg
Perform the initial discovery and credential access techniques used in Conti ransomware playbook.
SharpHound

2021-09-07

/static/assets/windows-logo.svg
Ingress, load, and run the SharpHound collector.
JXA Access

2021-08-24

/static/assets/apple-logo.svg
Use JXA to load a file-less agent into memory and create persistence mechanisms on OS X.
Kaseya VSA Attack

2021-08-16

/static/assets/windows-logo.svg
Side-load an agent using components of the REvil ransomware attack kill chain.