Prelude TTP browser
Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.Release Date (Newest)
Filter
Search for chains, TTPs, themes, and text
Browse By:
All
Linux
Darwin
Windows
Global
Android
All
T1102.002
Queue TTP for cryptoSpy agent
Schedules a whoami TTP for the cryptoSpy agent using Operator's API.
T1205.001
Wait for cryptoSpy callback
Queries Operator API for the cryptoSpy agent connection.
T1105
Download Get-ComputerDetails.ps1 using Certutil
This Windows binary can download and save a file to an Alternate Data Stream (ADS). This downloads a powersploit tool
that will get computer details. One variant uses ADS.
T1102.002
Queue TTP for Sliver agent
Schedules a whoami TTP for the Sliver agent using Operator's API.
T1105
Download payload with Windows Defender
Use windows defender command line utility to download a payload onto the system.
T1105
Stage PNG encoded payload
Stages PNG encoded payload into /var/tmp directory. Each pixel of the image stores each character of the Python script.
T1544
Download PneumaEX
PneumaEX is an extended version of the open-source agent which accompanies the Prelude platform. This procedure downloads the agent to disk
and starts it in the background.
T1105
Copy files with Print
This binary is used by Windows to send files to the printer. We can use it to copy remote and local files between systems.
T1102.002
Queue chain on infected machines
Schedules this chain to run on the infected machines so that the worm spreads.
T1219
Task webshell with agent callback
Send a request to the webshell to execute the Pneuma agent that connects back to Operator over TCP.
T1071.001
Install an HTTP C2 module
Dynamically load and install a C2 module support HTTP beacons. Jambi and Hush both use this as the default HTTP C2 channel.
T1105
Download a file with Xwizard
Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.
T1071.001
Start Python Webserver
Start a python webserver in the agents working directory.
T1071
Start LDAP Listener
Start an LDAP listener for the JNDI request.
T1105
Copy remote files to local system using Expand
Expand is a binary that expands one or more compressed files. It can be used to copy files from a webdav share to a local
system into plain files or ADSs.
T1105
Copy files with Extrac32
Extract32 allows users to uncompress one or more compressed .CAB cabinet files. This ability uses the binary to copy local
and remote files or cabinets to the local system.
T1105
Stage PneumaEX
Stage PneumaEX in the System32 directory.
T1071.001
Stage Schism agent in SciPy package
This changes the Schism Agent file from default localhost to Operator IP pulled from facts.
T1544
Download Jambi
A modular Powershell 3.0+ (POSH) agent for Windows
T1105
Copy files with Makecab
Makecab allows us to package existing files into a cabinet (.cab) file. This ability uses the binary to copy local and
remote files or cabinets to the local system.
T1105
Is my host protected against ngrok?
Ngrok is a reverse proxy tool that provides secure tunnels over the Internet. Adversaries may use ngrok to tunnel traffic to their command and control servers. It's important to monitor for the presence of ngrok, as it may be used to bypass network security controls. This chain requires an ngrok account. The ngrok.token fact must be set to your ngrok token available in the ngrok dashboard. Warning: This TTP will expose the host to the Internet.
T1021
Powerkatz Pass-the-Hash
Mimikatz is usually regarded as a credential dumper but there are other use-cases. Here, the tool is used to
Pass-the-Hash, leveraging the SC service to copy the agent to another computer in the domain. Passing the hash allows
the agent to conduct the copy command without knowing the password but instead uses a password hash to "pass" the
authentication along.
T1570
WMI Ransomware Distribution
WMIC is the abbreviation of Windows Management Interface Command, is a simple command prompt tool that returns
information about the system you are running it on. Here we start a WMIC process to copy the agent to another
domain computer, dropping it into the temp directory.
T1021.004
Spread worm using private keys found on the machine.
With the SSH private keys found, we can attempt to ssh in as root using these
keys allowing us to install a pneuma backdoor and execute the worm.
T1076
Initiate RDP connection
Remote Desktop Protocol is a proprietary protocol developed by Microsoft which provides a user with a graphical
interface to connect to another computer over a network connection. This procedure leverages RDP to execute a command
on a remote computer.
T1021.002
Copy agent to shared drive
Most Windows computers have a temp directory available as a network share. If accessible internally, this drive can be
used to copy malicious files across the network. The start command can be used to initiate a new terminal command
prompt to execute this action concurrently.
T1105
Copy Pneuma to remote system
Copy a UPX packed Pneuma payload to a remote system using PSExec.
T1210
Exploit SMBv1 service
Use EternalBlue and DoublePulsar to exploit SMBv1 service
T1550
Pass-The-Ticket with Rubeus
Pass-the-ticket attack is a well-known method of impersonating users on an AD domain. AD typically uses Kerberos to provides single sign-on and SSO.
If we have access to Kerberos tickets in the form of a .kirbi file, we will be able to import it using Rubeus. This TTP will import tickets exported by Mimikatz.
T1021.002
Provides access to target shared resources
This is required to run so that you have access to target host C drive to copy content over.
Follow @preludeorg on Twitter for new chains and more.
Join the Prelude Discord to discuss chains and more.
Keep up to date with code changes and community activity on Github