Prelude TTP browser

Prelude develops, tests and publishes important TTPs continuously. Below, you can view, filter and make use of more than 662 TTPs.

Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact

Themes

Tags

Licenses

T1611

Is my Docker container vulnerable to RDMA cgroup controller escape?
Containers that are running in privileged mode or with SYS_ADMIN capability may be vulnerable to a privilege escalation and container escape. This TTP attempts to mount the RDMA cgroup controller and configure the release_agent to execute an arbitrary script as the root user. It is important that containers are not running in privileged mode, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container. /static/assets/linux-logo.svg

T1611

Is my Docker container vulnerable to cgroup controller escape?
Containers that are running in privileged mode may be vulnerable to a privilege escalation and container escape. This TTP attempts to configure a cgroup controller release_agent to execute an arbitrary script as the root user. It is important that containers are not running in privileged mode, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container. /static/assets/linux-logo.svg

T1611

Is my Docker container vulnerable to hostPID privilege escalation?
Containers that are running in privileged mode and have the hostPID flag enabled are vulnerable to a privilege escalation and container escape to the host system. This TTP attempts to use nsenter to enter the namespace of the init system process (PID 1) on the host to spawn a root shell. It is important that containers are not running in privileged mode, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container. /static/assets/linux-logo.svg

T1203

Is Atlassian Bitbucket Server or Data Center patched against CVE-2022-36804?
In Atlassian Bitbucket Server and Data Center there is a command injection vulnerability in multiple API endpoints. This TTP sends a curl request that will attempt to execute a command `cat /etc/passwd` on the remote host. An attacker with read permissions on a public or private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request. /static/assets/linux-logo.svg

T1055.003

Process injection via Thread Hijacking
This TTP will create a notepad process and hijack one of the threads. The hijacked thread will be suspended and have its instruction pointer changed to the address of the shellcode; when the thread is resumed, `calc.exe` will be launched. /static/assets/windows-logo.svg

T1055.002

API unhooking via Perun's Fart
This TTP will create a new process in a suspended state, create a clean version of `ntdll.dll`, and overwrite the `ntdll.dll` from the current process to unhook it. After `ntdll.dll` is unhooked, the shellcode is executed to spawn calc.exe. /static/assets/windows-logo.svg

T1055.004

Process injection via UserAPC Queuing
This TTP will launch a notepad process and queue a user-mode asynchronous procedure call, that should launch calc.exe when the thread is resumed. /static/assets/windows-logo.svg

T1055.002

Process injection via CreateRemoteThread
This TTP will launch a notepad process and then inject shellcode into it. When the shellcode is executed, it will launch a new calc.exe process and crash notepad. /static/assets/windows-logo.svg

T1204.002

Are MOUSEISLAND malware procedures mitigated on this host?
CISA released an advisory in August 2022 on MOUSEISLAND, which is classified as a macro downloader. This TTP downloads a ZIP file, extracts it, and if MS Office is installed then attempts to run it. The macro attempts to download an EICAR file. Protection from MOUSEISLAND is important because this malware serves as the initial phase for ransomware./static/assets/windows-logo.svg

T1204.002

Are Ursnif malware procedures mitigated on this host?
CISA released an advisory in August 2022 on Ursnif malware, a banking trojan that steals financial data. This TTP uses Ursnif's methods of collecting system information and executing staged binaries. AZOrult may steal user account information, including passwords and credentials. /static/assets/windows-logo.svg

T1204.002

Are GootLoader malware procedures mitigated on this host?
CISA released an advisory in August 2022 on GootLoader, a malware loader. This TTP uses GootLoader's methods of downloading a JScript file within a Zip file, using Wscript to execute the JS file to add specific registry keys, reflectively loading a non-existent DLL, and creating a scheduled task for persistence. GootLoader may deploy Cobalt Strike Beacons, deploy banking Trojans, and even ransomware. /static/assets/windows-logo.svg

T1204.002

Are AZOrult malware procedures mitigated on this host?
CISA released an advisory in August 2022 on AZOrult malware, which could allow an attacker to steal information from compromised devices. This TTP uses AZOrult's methods of disabling Windows Defender and enabling persistence through a scheduled task. AZOrult may steal user account information, including passwords and credentials. /static/assets/windows-logo.svg

T1056.001

Can this host mitigate procedures used in FormBook malware?
CISA released an advisory in August 2022 on FormBook malware which can steal victims' information. This TTP captures keystrokes and clipboard data and logs it to a temporary file. Protection from keyloggers is essential because this type of malware may steal user account credentials or sensitive information. /static/assets/windows-logo.svg

T1003

Can this host mitigate procedures used in LokiBot malware?
CISA released an advisory in August 2022 on LokiBot malware, which can steal victims' information. This TTP emulates LokiBot's collection of browser information and stored credentials. Protection from credential dumping is essential because malware may steal account credentials to gain access to information for use in lateral movement and privilege escalation. /static/assets/windows-logo.svg

T1204.002

Is this host protected from NanoCore RAT?
CISA released an advisory in August 2022 on NanoCore RAT, which could allow an attacker to control a victim's machine. This TTP uses NanoCore's methods of adding a NanoCore exclusion in Windows Defender and enabling persistence through a scheduled task. NanoCore RAT may steal user account information, including passwords and credentials. /static/assets/windows-logo.svg

T1074

Is this host protected from Qakbot?
CISA released an advisory in August 2022 on Qakbot, which has been observed as a banking trojan and used to form botnets. This TTP creates a scheduled task, modifies the registry, and creates a staging folder to emulate data collection and exfiltration. Protection from Qakbot is important because this malware serves as a delivery agent for ransomware./static/assets/windows-logo.svg

T1203

Is CVE-2022-29464 patched on this host?
Certain WSO2 products allow unrestricted file uploads, resulting in remote code execution. This TTP attempts to upload a web shell on the WS02 API Manager server using a specially crafted POST request. An attacker can leverage this vulnerability to modify the filesystem or gain remote code execution on the affected server. /static/assets/linux-logo.svg

T1203

Is CVE-2022-22947 patched on this host?
In Spring Cloud Gateway, the actuator endpoint is vulnerable to an arbitrary code execution attack in versions before 3.1.1+ and 3.0.7+. This TTP sends a curl request that will attempt to publish a new endpoint and run the 'id' command on the remote host. A remote attacker could make a maliciously crafted request that allows arbitrary code execution on the remote host. /static/assets/linux-logo.svg

T1203

Is CVE-2022-0543 patched on this host?
CVE-2022-0543 is a Lua sandbox escape in Redis that may result in arbitrary code execution. This TTP exploits the vulnerability via a specially crafted Redis client command. Patching CVE-2022-0543 is essential because an unauthenticated user may exploit this vulnerability to run arbitrary code on the system. /static/assets/linux-logo.svg

CVE-2022-33891

Is CVE-2022-33891 patched on this host?
Apache Spark configured with spark.acls.enable set to true is vulnerable to remote code execution via the doAs paramater. This TTP attempts to access the doAs paramater, if it does successfully then it will attempt to run a shell command. This exploit is very easy to use, reliable and effects many Apache Spark versions. /static/assets/linux-logo.svg

T1486

Is this host protected from Maui Ransomware?
CISA released an advisory in July 2022 on Maui ransomware which has been used by North Korean state-sponsored actors since at least May 2021 to encrypt files in infected hosts. This TTP uses a defanged (non-malicious) version of Maui which can be used to check if the ransomware is detected. Endpoint detection should identify Maui ransomware samples and respond before they can cause damage. /static/assets/windows-logo.svg

CVE-2022-22965

Is CVE-2022-22965 patched on this host?
Spring Core Framework before 5.13.18 or 5.2.20 is vulnerable to a remote code execution vulnerability. This TTP sends a few cURL requests installing a backdoor temporarily. If the backdoor is installed and commands can be executed you will be deemed vulnerable. You should be able to idenitfy and remediate a backdoor that can execute shell commands that has been installed on your network. /static/assets/linux-logo.svg

T1486

Are you protected against Ryuk Ransomware?
Ryuk is a ransomware binary that encrypts file systems. This TTP uses a defanged (non-malicious) version of Ryuk which can be used to check if replaying the attack is shut down by any endpoint defense. This is important because defenses should detect the artifacts created by Ryuk and respond before it can cause damage. /static/assets/windows-logo.svg

CVE-2021-41773

Is Apache HTTP vulnerable to remote code execution?
Apache HTTP version 2.4.49 does not normalize paths correctly allowing an attacker to execute arbitrary code. This TTP sends a cURL request containing the 'uname -a' command, which is executed by '/bin/sh' via Apache's 'mod_cgi'. If this matches the local box's 'uname -a' output, then the CVE was successfully exploited. /static/assets/linux-logo.svg

CVE-2021-3156

Are you vulnerable to Baron Samedit?
Baron SamEdit is a vulnerability in sudoedit that allowed for a heap based buffer overflow which escalated low privileged users to root. In this TTP we check the version and test a buffer overflow, if no "Segmentation Fault" appears, you are not vulnerable. /static/assets/linux-logo.svg

CVE-2021-41773

Is Apache HTTP vulnerable to path traversal?
Apache HTTP version 2.4.49 does not normalize paths correctly allowing an attacker to traverse filepaths on the server. This TTP sends a cURL request containing the location of '/etc/passwd'. If the response matches the output from the local box's '/etc/passwd', then the CVE was successfully exploited. /static/assets/linux-logo.svg

T1608.002

Launch a gost server
Launches a gost (Go simple tunnel) socks5 proxy server with a user specified port and log to a gost_server.log file. /static/assets/linux-logo.svg/static/assets/apple-logo.svg/static/assets/windows-logo.svg

T1572

Launch a gost client
Launch a gost (Go simple tunnel) client and connect to a specified gost socks5 proxy server. Network traffic sent to the local gost client port will be proxied through the specified gost server. /static/assets/linux-logo.svg/static/assets/apple-logo.svg/static/assets/windows-logo.svg

T1588.002

Install Metasploit Framework
Automatically install Metasploit framework and initalize the database with defaults. This can be used to run metasploit modules from the staging server via an agent. /static/assets/terminal-logo.svg

T1068

Spawn elevated Pneuma via CVE-2021-3490 (eBPF)
Spawn a beacon using the (eBPF vulnerability) identified in CVE-2021-3490.The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution./static/assets/linux-logo.svg
1223