Prelude TTP browser

Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.

Release Date (Newest)
Search for chains, TTPs, themes, and text

Browse By:


  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact





Install CrackMapExec (CME) Pipx module
Automatically install CrackMapExec (CME) using a Python3 Pipx module. CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. /static/assets/terminal-logo.svg


Install Python3
Automatically install Python3 using correct repository for RPM or DEB packages. /static/assets/terminal-logo.svg


Install Chisel server
Obtain a Chisel server payload on the target server using an installation script. The script will automatically detect and install the correct version of Chisel 1.7.6 for the target platform. /static/assets/terminal-logo.svg


Install proxychains
Automatically install proxychains using correct repository for RPM or DEB packages. ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects the connections through SOCKS4a/5 or HTTP proxies. /static/assets/terminal-logo.svg


Launch a Chisel server
Launches a Chisel server with a user specified port and logs to a chisel_server.log file the /tmp directory. Requires Chisel be installed before the TTP will run unless a variant is selected. /static/assets/terminal-logo.svg


Launch a Chisel client connection
Using PneumaEX, launch a Chisel client and connect to a specified Chisel server. This will take arguments as though you are sending them to the command-line client. Supported flags are: Server (, Remotes ("3000", "<server-address>:9312 socks", "R:2222:localhost:22"), Fingerprint ("rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ="), Proxy, Auth, TLSSkipVerify (default: false). /static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg


Discover vulnerable AD CS certificates
Use the Certify tool to enumerate misconfigurations in Active Directory Certificate Services (AD CS). /static/assets/windows-logo.svg


View Basic OS Properties
hostnamectl is used to control the system hostname and its related settings and so it can be used to view hostname and other things like kernel version, machine id and boot id and Linux Distro installed in a linux computer. /static/assets/linux-logo.svg


List pip Packages
This will provide a list of currently installed pip packages on the system./static/assets/linux-logo.svg


Grab python version
Determine the current python version for python in the current PATH./static/assets/linux-logo.svg


View detailed CPU information
This command provides useful knowledge of CPU information include core count, cache, virtualization, and more./static/assets/linux-logo.svg


View Nvidia GPU information
If a Nvidia GPU is installed this will provide information on GPU driver version, CUDA version, processes that used GPU last, temps, and more. /static/assets/linux-logo.svg


Docker & LXC detection
Run a script to detect if your agent exists in either a Docker or LXC container./static/assets/linux-logo.svg


Bypass AMSI, load, and run XOR'd SharpHound payload
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI) in the current powershell process to allow loading of SharpHound. /static/assets/windows-logo.svg


Create an XOR byte
Generate a single byte that can be used across XOR operations on the target system. /static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg


Ingress payload to XOR'd file
Sometimes it's useful to store payloads on a system for use later in an operation. In order to avoid detection by AV/EDR products, a simple XOR can be applied to the bytes before saving the item to disk. This imports a payload and XORs it to a random file on disk. /static/assets/windows-logo.svg


Quit application
This procedure immediately halts the an installed application, force closing it. /static/assets/apple-logo.svg


Record room audio using microphone
Most computers have a microphone which is always-on/active. This procedure installs popular recording software, then runs it to record 30 seconds of audio on the computer. Supports installing a Hush module and recording using in-memory JXA. /static/assets/apple-logo.svg/static/assets/linux-logo.svg/static/assets/windows-logo.svg


Grab a series of desktop screenshots
Capture a series of desktop screenshots to a staging directory. A user may see a permission prompt or hear the snapshots. /static/assets/windows-logo.svg/static/assets/linux-logo.svg/static/assets/apple-logo.svg


Install a payload request module
Dynamically load and install a module that can download payloads onto the target system. A JXA agent will only request this module if a TTP requiring a payload is used by the agent. /static/assets/apple-logo.svg


Install and test a shell execution module
Dynamically load and install a module that enables an agent to run shell commands. A JXA agent will only request this module if a TTP requiring a shell command is used. /static/assets/apple-logo.svg


Enumerate file system partitions
This will display all related information corresponding to the the mounted and unmounted partitions/shares. /static/assets/linux-logo.svg


Install PSTools
PSTools is a popular Windows toolset for doing standard sysadmin activities. It is often installed on Windows computers so administrators can work easier. This procedure simply downloads and uncompresses it on disk. /static/assets/windows-logo.svg


Create remote Powershell with PowerCat
PowerCat is a tool that uses native PowerShell components to allow an attacker to tansfer files, send and serve reverses shells, and relays similar to NetCat over TCP, SMB, and UDP. This procedure downloads PowerCat from Github, then uses it to open a connection to a remote server using PowerShell./static/assets/windows-logo.svg


Install PowerShell Core 6
PowerShell is installed by default on Windows computers. It is often abused by hackers, so it is usually heavily monitored by security products. There is a separate open-source project called PowerShell Core which is not monitored. This procedure downloads, installs and restarts a PowerShell agent under PowerShell Core. /static/assets/windows-logo.svg


Find files on removable media
Devices, such as USB drives, often hold important documents, as they've been intentionally copied to the drive at some point. This procedure determines what files are on external drives. /static/assets/windows-logo.svg


Disable Windows EventLog via EventCleaner
This procedure will stop eventlog using EventCleaner tools. /static/assets/windows-logo.svg


PowerSploit Invoke-Mimikatz
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing. This procedure uses PowerSploit to dump credentials from memory via PowerShell by invoking a remote Mimikatz script. /static/assets/windows-logo.svg


PowerSploit Get-Keystrokes
This procedure will capture keys pressed, time and active window for 60 seconds and log the collected keystrokes in the C:\ directory./static/assets/windows-logo.svg


Dump LSASS memory
LSASS is a Windows process for enforcing security policies. It is stored in memory and it can be dumped to disk, often done as a precuror to analyzing the dump with a credential dumper like Mimikatz. /static/assets/windows-logo.svg