Prelude TTP browser

Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.

Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact

Themes

Tags

Licenses

T1543

SystemV service persistence
Attempt to install persistence if systemv is the system service manager./static/assets/linux-logo.svg

T1546.003

Install agent persistence via WMI event subscription
Use a powershell to install a WMI event subscription persistence mechanism. This technique requires setting the #{staging_dir} fact to specify the path the Pneuma agent. /static/assets/windows-logo.svg

T1547.001

Install agent persistence via StartUp VBS file
A VBS file located in the Windows StartUp folder may be used for persistence. This procedure generates a VBS file and places it in the StartUp folder. On startup, the file will execute a spawn a new Pneuma agent./static/assets/windows-logo.svg

T1137.006

Dump registry SAM Hive via Microsoft Word Add-in
'This TTP will stage a UPX packed .wll file in the Microsoft\Word\STARTUP directory and then start Word to execute the Word Add-in and dump SAM registry hive into c:\temp\folder.' /static/assets/windows-logo.svg

T1547.009

Install WanaDecryptor persistence via .lnk file
WannaCry installs a copy of the decryptor, @WanaDecryptor@.exe, in each folder along with a ransom note. This technique stages and writes a PneumaEX agent and corresponding .lnk file./static/assets/windows-logo.svg

T1546.001

Change ppts extension for VBSFile
The Windows ASSOC command can be used to display or change the association between a file extension and fileType. This procedure uses the command to associate the .ppts extension with the VBSFile type. /static/assets/windows-logo.svg

T1543

Upstart service persistence
Attempt to install persistence if upstart is the system service manager./static/assets/linux-logo.svg

T1546

bash_profile tampering
The bash profile is a configuration file for bash (or zsh) shell. When bash is invoked as an interactive login shell it first reads and executes commands from ~/. bash_profile. This procedure adds the agent executable to the file, ensuring that it will start the agent as soon as the terminal is opened. /static/assets/linux-logo.svg/static/assets/apple-logo.svg

T1543

Systemd service persistence
Attempt to install persistence if systemd is the system service manager./static/assets/linux-logo.svg

T1547.001

Install PneumaEX registry persistence
This is the exact same registry changes made by the GOP attackers to have their agent stay persistent throughout the attack. In this case, the staged PneumaEX will be persistent. /static/assets/windows-logo.svg

T1546.003

Install WMI event subscription persistence
Use a custom powershell script to install a WMI event subscription persistence mechanism. /static/assets/windows-logo.svg

T1543.001

Install a Hush current user plist persistence
Create and install a plist file for the current user that launches every time the user logs in. This launches the Hush stager code to dynamically pull down and launch a new agent. /static/assets/apple-logo.svg

T1547.001

Install agent persistence via StartUp batch file
A batch file (.bat) located in the Windows StartUp folder may be used for persistence. This procedure generates a batch file and places it in the StartUp folder. On startup, the file will execute a spawn a new Pneuma agent./static/assets/windows-logo.svg

T1547.009

Install agent persistence via .LNK file
APT40 is known to use .LNK files in the Windows StartUp folder for persistence. This procedure generates a link file using VBA and executes it. On startup, the link will execute a Pneuma agent./static/assets/windows-logo.svg

T1098.001

Add SSH key to Azure Account
Using a locally generated key pair, create a new SSH keypair resource on the Azure account to allow VM creation with the key and replacement keys on existing VMs. /static/assets/terminal-logo.svg/static/assets/windows-logo.svg

T1136.001

Create new user on mobile device
Create new user on mobile device/static/assets/android-logo.svg

T1098.004

Modify SSH key pair on existing VM
Using a prestaged SSH key pair resource, replace the SSH key pair used on that VM to gain access to the resource using your custom SSH key. /static/assets/terminal-logo.svg/static/assets/windows-logo.svg

T1053

Scheduled task
Scheduled tasks enables an administrator schedule actions at specific times or to launch programs if a set event has occurred. The SCHTASKS utility allows the administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. This procedure schedules a task to start the agent every time the computer reboots. /static/assets/windows-logo.svg

T1546.004

Persistence via mounted Unix shell configuration modification
Persistence may be established by modifying a user's shell to execute arbitrary commands. This TTP searches for a mounted root directory and establishes Pneuma persistence via Unix shell configuration modification. It is important that containers cannot mount the host filesystem, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container. /static/assets/linux-logo.svg

T1053

Cron job persistence
Install cron persistence as root using the SUID binary./static/assets/linux-logo.svg

T1105

Download file using Bitsadmin
Bitsadmin is used for managing background intelligent transfer. This leverages bitsadmins to create a job and ingress tools on the local system out of band from the C2 channel. /static/assets/windows-logo.svg

T1104

Upgrade implant to stage 2 (PneumaEX)
This TTP untars the payload containing PneumaEX and a shell script. The shell script checks for deep learning python frameworks then upgrades the agent to PneumaEX. If it doesn't detect deep learning frameworks it will delete all elevation artifacts. /static/assets/linux-logo.svg

T1544

Download Hush
JavaScript for Automation (JXA) agent for MacOS /static/assets/apple-logo.svg

T1105

Copy files with Replace
Used to replace file with another file, this ability uses the binary to copy local and remote files or cabinets to the local system. /static/assets/windows-logo.svg

T1104

Stage Operator networking fact file
Place a PowerShell file on disk that new agent can reference when launching. These facts must be declared in Operator before running this procedure and each fact must contain Operator's routable IP address and relevent contact port. For example, '#{operator.public.http}' should map to a value such as 'http://10.0.0.2:3391'. /static/assets/windows-logo.svg

T1544

Download Schism
Schism is a simple Python agent which supports multiple protocols /static/assets/terminal-logo.svg

T1105

Download tools using Certutil
CertReq.exe is used for requesting and managing certificates, but can also be used to ingress tools to the local system. By passing a remote HTTP/S file path, the results of a POST requests can be saved to the console or a file. /static/assets/windows-logo.svg

T1205.001

Wait for Sliver agent callback
Queries Operator API for the Sliver agent connection./static/assets/terminal-logo.svg

T1105

Download Pneuma agent using BITSAdmin
BITSAdmin is used for managing background intelligent transfer. This leverages BITSAdmin to create a job and ingress tools on the local system out of band from the C2 channel. This techniques requires defining the #{staging_dir} fact - the path where the agent is located. /static/assets/windows-logo.svg

T1219

Generate Log4j exploit class
Generates a custom java class to have a Log4j vulnerable service download launch a Pneuma payload./static/assets/linux-logo.svg