Prelude TTP browser

Prelude develops, tests and publishes important TTPs continuously. Below, you can view, filter and make use of more than 645 TTPs.

Release Date (Newest)
Search for chains, TTPs, themes, and text

Browse By:


  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact





Conti agent lateral movement
This will use WMIC to move the agent on current compermised host to user defined target host. /static/assets/windows-logo.svg


PowerSploit Named-Pipe Impersonation
A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Named pipes can be used to provide communication between processes on the same computer or between processes on different computers across a network. This procedure uses PowerSploit to conduct a named-pipe impersonation. /static/assets/windows-logo.svg


Compile malicious binary using vulnerable SUID
After identifying SUID binaries, we are able to compile and modify permissions of the binary to allow it to execute as root. /static/assets/linux-logo.svg


UAC Bypass via Backup Utility
Modify registry values of sdclt to bypass User Account Control (UAC) via auto-elevation. /static/assets/windows-logo.svg


Exploit ZeroLogon vulnerability to gain Domain Admin
Stages and executes Mimikatz's ZeroLogon module to gain domain admin./static/assets/windows-logo.svg


Spawn elevated Pneuma via UAC prompt
Use UAC prompt to Spawn an elevated PneumaEX session./static/assets/windows-logo.svg


Exploit PrintNightmare vulnerability to add local administrator
Stages and executes Invoke-Nightmare used by Conti to gain local admin./static/assets/windows-logo.svg


Set registry value for Wsreset
Set registry value at HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command to run something elevated using wsreset.exe. /static/assets/windows-logo.svg


Spawn elevated Pneuma via CVE-2021-33909 (Sequoia)
Spawn a beacon using the (Sequoia) identified in CVE-2021-3156. fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. You need 1 million free inodes available in the directory where you execute the exploit payload. Using the home directory yields highest probability of success./static/assets/linux-logo.svg


Spawn elevated Pneuma and relocate agent binary
We execute pneuma agent as root and move it's location to /bin/pneuma to prepare for persistence. /static/assets/linux-logo.svg


Escalate a binary with Wsreset
Used to reset Windows Store settings according to its manifest file. Modify the default registry value at HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command to run something elevated. /static/assets/windows-logo.svg


Spawn agent using Event Viewer UAC Bypass
During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. /static/assets/windows-logo.svg


Spawn root agent
Start a new agent as the root user/static/assets/apple-logo.svg


Take ownership of docker containers
If the current user context has write permissions to the docker.sock unix socket file, we are able to take complete ownership of all dockers running on the system and perform arbitrary docker daemon/CLI commands against all containers. This is accomplished by creating a new docker container, passing in the docker.sock file descriptor, then installing dockerd inside the container. From there we can run docker commands in any container. /static/assets/linux-logo.svg


Stage mobile device backup
Perform a full mobile device back-up to a file and stage it in a directory./static/assets/android-logo.svg