Prelude TTP browser

Prelude develops, tests and publishes important TTPs continuously. Below, you can view, filter and make use of more than 671 TTPs.

Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact

Themes

Tags

Licenses

T1588.002

Install CrackMapExec (CME) Pipx module
Automatically install CrackMapExec (CME) using a Python3 Pipx module. CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. /static/assets/terminal-logo.svg

T1588.002

Install Python3
Automatically install Python3 using correct repository for RPM or DEB packages. /static/assets/terminal-logo.svg

T1588.002

Install Chisel server
Obtain a Chisel server payload on the target server using an installation script. The script will automatically detect and install the correct version of Chisel 1.7.6 for the target platform. /static/assets/terminal-logo.svg

T1588.002

Install proxychains
Automatically install proxychains using correct repository for RPM or DEB packages. ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects the connections through SOCKS4a/5 or HTTP proxies. /static/assets/terminal-logo.svg

T1608.002

Launch a Chisel server
Launches a Chisel server with a user specified port and logs to a chisel_server.log file the /tmp directory. Requires Chisel be installed before the TTP will run unless a variant is selected. /static/assets/terminal-logo.svg

T1572

Launch a Chisel client connection
Using PneumaEX, launch a Chisel client and connect to a specified Chisel server. This will take arguments as though you are sending them to the command-line client. Supported flags are: Server (https://chisel-demo.herokuapp.com), Remotes ("3000", "<server-address>:9312 socks", "R:2222:localhost:22"), Fingerprint ("rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ="), Proxy, Auth, TLSSkipVerify (default: false). /static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg

T1016

Discover vulnerable AD CS certificates
Use the Certify tool to enumerate misconfigurations in Active Directory Certificate Services (AD CS). /static/assets/windows-logo.svg

T1082

View Basic OS Properties
hostnamectl is used to control the system hostname and its related settings and so it can be used to view hostname and other things like kernel version, machine id and boot id and Linux Distro installed in a linux computer. /static/assets/linux-logo.svg

T1518

List pip Packages
This will provide a list of currently installed pip packages on the system./static/assets/linux-logo.svg

T1518

Grab python version
Determine the current python version for python in the current PATH./static/assets/linux-logo.svg

T1082

View detailed CPU information
This command provides useful knowledge of CPU information include core count, cache, virtualization, and more./static/assets/linux-logo.svg

T1082

View Nvidia GPU information
If a Nvidia GPU is installed this will provide information on GPU driver version, CUDA version, processes that used GPU last, temps, and more. /static/assets/linux-logo.svg

T1613

Docker & LXC detection
Run a script to detect if your agent exists in either a Docker or LXC container./static/assets/linux-logo.svg

T1106

Bypass AMSI, load, and run XOR'd SharpHound payload
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI) in the current powershell process to allow loading of SharpHound. /static/assets/windows-logo.svg

T1074.001

Create an XOR byte
Generate a single byte that can be used across XOR operations on the target system. /static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg

T1105

Ingress payload to XOR'd file
Sometimes it's useful to store payloads on a system for use later in an operation. In order to avoid detection by AV/EDR products, a simple XOR can be applied to the bytes before saving the item to disk. This imports a payload and XORs it to a random file on disk. /static/assets/windows-logo.svg

T1489

Quit application
This procedure immediately halts the an installed application, force closing it. /static/assets/apple-logo.svg

T1123

Record room audio using microphone
Most computers have a microphone which is always-on/active. This procedure installs popular recording software, then runs it to record 30 seconds of audio on the computer. Supports installing a Hush module and recording using in-memory JXA. /static/assets/apple-logo.svg/static/assets/linux-logo.svg/static/assets/windows-logo.svg

T1113

Grab a series of desktop screenshots
Capture a series of desktop screenshots to a staging directory. A user may see a permission prompt or hear the snapshots. /static/assets/windows-logo.svg/static/assets/linux-logo.svg/static/assets/apple-logo.svg

T1105

Install a payload request module
Dynamically load and install a module that can download payloads onto the target system. A JXA agent will only request this module if a TTP requiring a payload is used by the agent. /static/assets/apple-logo.svg

T1105

Install and test a shell execution module
Dynamically load and install a module that enables an agent to run shell commands. A JXA agent will only request this module if a TTP requiring a shell command is used. /static/assets/apple-logo.svg

T1082

Enumerate file system partitions
This will display all related information corresponding to the the mounted and unmounted partitions/shares. /static/assets/linux-logo.svg

T1072

Install PSTools
PSTools is a popular Windows toolset for doing standard sysadmin activities. It is often installed on Windows computers so administrators can work easier. This procedure simply downloads and uncompresses it on disk. /static/assets/windows-logo.svg

T1059.001

Create remote Powershell with PowerCat
PowerCat is a tool that uses native PowerShell components to allow an attacker to tansfer files, send and serve reverses shells, and relays similar to NetCat over TCP, SMB, and UDP. This procedure downloads PowerCat from Github, then uses it to open a connection to a remote server using PowerShell./static/assets/windows-logo.svg

T1072

Install PowerShell Core 6
PowerShell is installed by default on Windows computers. It is often abused by hackers, so it is usually heavily monitored by security products. There is a separate open-source project called PowerShell Core which is not monitored. This procedure downloads, installs and restarts a PowerShell agent under PowerShell Core. /static/assets/windows-logo.svg

T1025

Find files on removable media
Devices, such as USB drives, often hold important documents, as they've been intentionally copied to the drive at some point. This procedure determines what files are on external drives. /static/assets/windows-logo.svg

T1562.002

Disable Windows EventLog via EventCleaner
This procedure will stop eventlog using EventCleaner tools. /static/assets/windows-logo.svg

T1003.001

PowerSploit Invoke-Mimikatz
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing. This procedure uses PowerSploit to dump credentials from memory via PowerShell by invoking a remote Mimikatz script. /static/assets/windows-logo.svg

T1056.001

PowerSploit Get-Keystrokes
This procedure will capture keys pressed, time and active window for 60 seconds and log the collected keystrokes in the C:\ directory./static/assets/windows-logo.svg

T1003.001

Dump LSASS memory
LSASS is a Windows process for enforcing security policies. It is stored in memory and it can be dumped to disk, often done as a precuror to analyzing the dump with a credential dumper like Mimikatz. /static/assets/windows-logo.svg