Prelude TTP browser

Prelude develops, tests and publishes important TTPs continuously. Below, you can view, filter and make use of more than 645 TTPs.

Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact

Themes

Tags

Licenses

T1608.002

Launch a Chisel server
Launches a Chisel server with a user specified port and logs to a chisel_server.log file the /tmp directory. Requires Chisel be installed before the TTP will run unless a variant is selected. /static/assets/terminal-logo.svg

T1572

Launch a Chisel client connection
Using PneumaEX, launch a Chisel client and connect to a specified Chisel server. This will take arguments as though you are sending them to the command-line client. Supported flags are: Server (https://chisel-demo.herokuapp.com), Remotes ("3000", "<server-address>:9312 socks", "R:2222:localhost:22"), Fingerprint ("rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ="), Proxy, Auth, TLSSkipVerify (default: false). /static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg

T1016

Discover vulnerable AD CS certificates
Use the Certify tool to enumerate misconfigurations in Active Directory Certificate Services (AD CS). /static/assets/windows-logo.svg

T1082

View Basic OS Properties
hostnamectl is used to control the system hostname and its related settings and so it can be used to view hostname and other things like kernel version, machine id and boot id and Linux Distro installed in a linux computer. /static/assets/linux-logo.svg

T1518

List pip Packages
This will provide a list of currently installed pip packages on the system./static/assets/linux-logo.svg

T1518

Grab python version
Determine the current python version for python in the current PATH./static/assets/linux-logo.svg

T1082

View detailed CPU information
This command provides useful knowledge of CPU information include core count, cache, virtualization, and more./static/assets/linux-logo.svg

T1082

View Nvidia GPU information
If a Nvidia GPU is installed this will provide information on GPU driver version, CUDA version, processes that used GPU last, temps, and more. /static/assets/linux-logo.svg

T1613

Docker & LXC detection
Run a script to detect if your agent exists in either a Docker or LXC container./static/assets/linux-logo.svg

T1106

Bypass AMSI, load, and run XOR'd SharpHound payload
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI) in the current powershell process to allow loading of SharpHound. /static/assets/windows-logo.svg

T1074.001

Create an XOR byte
Generate a single byte that can be used across XOR operations on the target system. /static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg

T1105

Ingress payload to XOR'd file
Sometimes it's useful to store payloads on a system for use later in an operation. In order to avoid detection by AV/EDR products, a simple XOR can be applied to the bytes before saving the item to disk. This imports a payload and XORs it to a random file on disk. /static/assets/windows-logo.svg

T1489

Quit application
This procedure immediately halts the an installed application, force closing it. /static/assets/apple-logo.svg

T1123

Record room audio using microphone
Most computers have a microphone which is always-on/active. This procedure installs popular recording software, then runs it to record 30 seconds of audio on the computer. Supports installing a Hush module and recording using in-memory JXA. /static/assets/apple-logo.svg/static/assets/linux-logo.svg/static/assets/windows-logo.svg

T1113

Grab a series of desktop screenshots
Capture a series of desktop screenshots to a staging directory. A user may see a permission prompt or hear the snapshots. /static/assets/windows-logo.svg/static/assets/linux-logo.svg/static/assets/apple-logo.svg

T1105

Install a payload request module
Dynamically load and install a module that can download payloads onto the target system. A JXA agent will only request this module if a TTP requiring a payload is used by the agent. /static/assets/apple-logo.svg

T1105

Install and test a shell execution module
Dynamically load and install a module that enables an agent to run shell commands. A JXA agent will only request this module if a TTP requiring a shell command is used. /static/assets/apple-logo.svg

T1082

Enumerate file system partitions
This will display all related information corresponding to the the mounted and unmounted partitions/shares. /static/assets/linux-logo.svg

T1072

Install PSTools
PSTools is a popular Windows toolset for doing standard sysadmin activities. It is often installed on Windows computers so administrators can work easier. This procedure simply downloads and uncompresses it on disk. /static/assets/windows-logo.svg

T1059.001

Create remote Powershell with PowerCat
PowerCat is a tool that uses native PowerShell components to allow an attacker to tansfer files, send and serve reverses shells, and relays similar to NetCat over TCP, SMB, and UDP. This procedure downloads PowerCat from Github, then uses it to open a connection to a remote server using PowerShell./static/assets/windows-logo.svg

T1072

Install PowerShell Core 6
PowerShell is installed by default on Windows computers. It is often abused by hackers, so it is usually heavily monitored by security products. There is a separate open-source project called PowerShell Core which is not monitored. This procedure downloads, installs and restarts a PowerShell agent under PowerShell Core. /static/assets/windows-logo.svg

T1025

Find files on removable media
Devices, such as USB drives, often hold important documents, as they've been intentionally copied to the drive at some point. This procedure determines what files are on external drives. /static/assets/windows-logo.svg

T1562.002

Disable Windows EventLog via EventCleaner
This procedure will stop eventlog using EventCleaner tools. /static/assets/windows-logo.svg

T1003.001

PowerSploit Invoke-Mimikatz
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing. This procedure uses PowerSploit to dump credentials from memory via PowerShell by invoking a remote Mimikatz script. /static/assets/windows-logo.svg

T1056.001

PowerSploit Get-Keystrokes
This procedure will capture keys pressed, time and active window for 60 seconds and log the collected keystrokes in the C:\ directory./static/assets/windows-logo.svg

T1003.001

Dump LSASS memory
LSASS is a Windows process for enforcing security policies. It is stored in memory and it can be dumped to disk, often done as a precuror to analyzing the dump with a credential dumper like Mimikatz. /static/assets/windows-logo.svg

T1544

Download pneuma
Pneuma is an open-source agent which accompanies the Prelude platform. This procedure downloads the agent to disk and starts it in the background. /static/assets/linux-logo.svg/static/assets/apple-logo.svg/static/assets/windows-logo.svg

T1059.004

Deploy a stage-0 JXA agent
Download and execute a JavaScript for Automation (JXA) agent. /static/assets/apple-logo.svg

T1554

Create a JXA Safari.app stager on the desktop
Create a persistence application that looks like Safari.app that will spawn a new beacon then launch Safari.app. /static/assets/apple-logo.svg

T1069

Permission Groups Discovery
Computer users are put into groups, which control their access on the computer. Identifying which groups are assigned to the current user can show if they have administrator privileges or not. /static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg