Prelude TTP browser

Prelude develops, tests and publishes important TTPs continuously. Below, you can view, filter and make use of more than 634 TTPs.

Release Date (Newest)
Filter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact

Themes

Tags

Licenses

T1204.002

Is this host protected from NanoCore RAT?
CISA released an advisory in August 2022 on NanoCore RAT, which could allow an attacker to control a victim's machine. This TTP uses NanoCore's methods of adding a NanoCore exclusion in Windows Defender and enabling persistence through a scheduled task. NanoCore RAT may steal user account information, including passwords and credentials.

T1074

Is this host protected from Qakbot?
CISA released an advisory in August 2022 on Qakbot, which has been observed as a banking trojan and used to form botnets. This TTP creates a scheduled task, modifies the registry, and creates a staging folder to emulate data collection and exfiltration. Protection from Qakbot is important because this malware serves as a delivery agent for ransomware.

T1203

Is CVE-2022-29464 patched on this host?
Certain WSO2 products allow unrestricted file uploads, resulting in remote code execution. This TTP attempts to upload a web shell on the WS02 API Manager server using a specially crafted POST request. An attacker can leverage this vulnerability to modify the filesystem or gain remote code execution on the affected server.

T1203

Is CVE-2022-22947 patched on this host?
In Spring Cloud Gateway, the actuator endpoint is vulnerable to an arbitrary code execution attack in versions before 3.1.1+ and 3.0.7+. This TTP sends a curl request that will attempt to publish a new endpoint and run the 'id' command on the remote host. A remote attacker could make a maliciously crafted request that allows arbitrary code execution on the remote host.

T1203

Is CVE-2022-0543 patched on this host?
CVE-2022-0543 is a Lua sandbox escape in Redis that may result in arbitrary code execution. This TTP exploits the vulnerability via a specially crafted Redis client command. Patching CVE-2022-0543 is essential because an unauthenticated user may exploit this vulnerability to run arbitrary code on the system.

CVE-2022-33891

Is CVE-2022-33891 patched on this host?
Apache Spark configured with spark.acls.enable set to true is vulnerable to remote code execution via the doAs paramater. This TTP attempts to access the doAs paramater, if it does successfully then it will attempt to run a shell command. This exploit is very easy to use, reliable and effects many Apache Spark versions.

T1486

Is this host protected from Maui Ransomware?
CISA released an advisory in July 2022 on Maui ransomware which has been used by North Korean state-sponsored actors since at least May 2021 to encrypt files in infected hosts. This TTP uses a defanged (non-malicious) version of Maui which can be used to check if the ransomware is detected. Endpoint detection should identify Maui ransomware samples and respond before they can cause damage.

CVE-2022-22965

Is CVE-2022-22965 patched on this host?
Spring Core Framework before 5.13.18 or 5.2.20 is vulnerable to a remote code execution vulnerability. This TTP sends a few cURL requests installing a backdoor temporarily. If the backdoor is installed and commands can be executed you will be deemed vulnerable. You should be able to idenitfy and remediate a backdoor that can execute shell commands that has been installed on your network.

T1486

Are you protected against Ryuk Ransomware?
Ryuk is a ransomware binary that encrypts file systems. This TTP uses a defanged (non-malicious) version of Ryuk which can be used to check if replaying the attack is shut down by any endpoint defense. This is important because defenses should detect the artifacts created by Ryuk and respond before it can cause damage.

CVE-2021-41773

Is Apache HTTP vulnerable to remote code execution?
Apache HTTP version 2.4.49 does not normalize paths correctly allowing an attacker to execute arbitrary code. This TTP sends a cURL request containing the 'uname -a' command, which is executed by '/bin/sh' via Apache's 'mod_cgi'. If this matches the local box's 'uname -a' output, then the CVE was successfully exploited.

CVE-2021-3156

Are you vulnerable to Baron Samedit?
Baron SamEdit is a vulnerability in sudoedit that allowed for a heap based buffer overflow which escalated low privileged users to root. In this TTP we check the version and test a buffer overflow, if no "Segmentation Fault" appears, you are not vulnerable.

CVE-2021-41773

Is Apache HTTP vulnerable to path traversal?
Apache HTTP version 2.4.49 does not normalize paths correctly allowing an attacker to traverse filepaths on the server. This TTP sends a cURL request containing the location of '/etc/passwd'. If the response matches the output from the local box's '/etc/passwd', then the CVE was successfully exploited.

T1608.002

Launch a gost server
Launches a gost (Go simple tunnel) socks5 proxy server with a user specified port and log to a gost_server.log file.

T1572

Launch a gost client
Launch a gost (Go simple tunnel) client and connect to a specified gost socks5 proxy server. Network traffic sent to the local gost client port will be proxied through the specified gost server.

T1588.002

Install Metasploit Framework
Automatically install Metasploit framework and initalize the database with defaults. This can be used to run metasploit modules from the staging server via an agent.

T1068

Spawn elevated Pneuma via CVE-2021-3490 (eBPF)
Spawn a beacon using the (eBPF vulnerability) identified in CVE-2021-3490.The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution.

T1588.002

Install CrackMapExec (CME) Pipx module
Automatically install CrackMapExec (CME) using a Python3 Pipx module. CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.

T1588.002

Install Python3
Automatically install Python3 using correct repository for RPM or DEB packages.

T1588.002

Install Chisel server
Obtain a Chisel server payload on the target server using an installation script. The script will automatically detect and install the correct version of Chisel 1.7.6 for the target platform.

T1588.002

Install proxychains
Automatically install proxychains using correct repository for RPM or DEB packages. ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects the connections through SOCKS4a/5 or HTTP proxies.

T1608.002

Launch a Chisel server
Launches a Chisel server with a user specified port and logs to a chisel_server.log file the /tmp directory. Requires Chisel be installed before the TTP will run unless a variant is selected.

T1572

Launch a Chisel client connection
Using PneumaEX, launch a Chisel client and connect to a specified Chisel server. This will take arguments as though you are sending them to the command-line client. Supported flags are: Server (https://chisel-demo.herokuapp.com), Remotes ("3000", "<server-address>:9312 socks", "R:2222:localhost:22"), Fingerprint ("rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ="), Proxy, Auth, TLSSkipVerify (default: false).

T1016

Discover vulnerable AD CS certificates
Use the Certify tool to enumerate misconfigurations in Active Directory Certificate Services (AD CS).

T1082

View Basic OS Properties
hostnamectl is used to control the system hostname and its related settings and so it can be used to view hostname and other things like kernel version, machine id and boot id and Linux Distro installed in a linux computer.

T1518

List pip Packages
This will provide a list of currently installed pip packages on the system.

T1518

Grab python version
Determine the current python version for python in the current PATH.

T1082

View detailed CPU information
This command provides useful knowledge of CPU information include core count, cache, virtualization, and more.

T1082

View Nvidia GPU information
If a Nvidia GPU is installed this will provide information on GPU driver version, CUDA version, processes that used GPU last, temps, and more.

T1613

Docker & LXC detection
Run a script to detect if your agent exists in either a Docker or LXC container.

T1106

Bypass AMSI, load, and run XOR'd SharpHound payload
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI) in the current powershell process to allow loading of SharpHound.
1222