Prelude TTP browser

Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.

Release Date (Newest)
Search for chains, TTPs, themes, and text

Browse By:


  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact





Queue TTP for cryptoSpy agent
Schedules a whoami TTP for the cryptoSpy agent using Operator's API./static/assets/terminal-logo.svg


Wait for cryptoSpy callback
Queries Operator API for the cryptoSpy agent connection./static/assets/terminal-logo.svg


Download Get-ComputerDetails.ps1 using Certutil
This Windows binary can download and save a file to an Alternate Data Stream (ADS). This downloads a powersploit tool that will get computer details. One variant uses ADS. /static/assets/windows-logo.svg


Queue TTP for Sliver agent
Schedules a whoami TTP for the Sliver agent using Operator's API./static/assets/terminal-logo.svg


Download payload with Windows Defender
Use windows defender command line utility to download a payload onto the system. /static/assets/windows-logo.svg


Stage PNG encoded payload
Stages PNG encoded payload into /var/tmp directory. Each pixel of the image stores each character of the Python script. /static/assets/linux-logo.svg


Download PneumaEX
PneumaEX is an extended version of the open-source agent which accompanies the Prelude platform. This procedure downloads the agent to disk and starts it in the background. /static/assets/linux-logo.svg/static/assets/apple-logo.svg/static/assets/windows-logo.svg


Copy files with Print
This binary is used by Windows to send files to the printer. We can use it to copy remote and local files between systems. /static/assets/windows-logo.svg


Queue chain on infected machines
Schedules this chain to run on the infected machines so that the worm spreads./static/assets/terminal-logo.svg


Task webshell with agent callback
Send a request to the webshell to execute the Pneuma agent that connects back to Operator over TCP. /static/assets/terminal-logo.svg


Install an HTTP C2 module
Dynamically load and install a C2 module support HTTP beacons. Jambi and Hush both use this as the default HTTP C2 channel. /static/assets/windows-logo.svg


Download a file with Xwizard
Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file. /static/assets/windows-logo.svg


Start Python Webserver
Start a python webserver in the agents working directory./static/assets/linux-logo.svg


Start LDAP Listener
Start an LDAP listener for the JNDI request./static/assets/linux-logo.svg


Copy remote files to local system using Expand
Expand is a binary that expands one or more compressed files. It can be used to copy files from a webdav share to a local system into plain files or ADSs. /static/assets/windows-logo.svg


Copy files with Extrac32
Extract32 allows users to uncompress one or more compressed .CAB cabinet files. This ability uses the binary to copy local and remote files or cabinets to the local system. /static/assets/windows-logo.svg


Stage PneumaEX
Stage PneumaEX in the System32 directory. /static/assets/windows-logo.svg


Stage Schism agent in SciPy package
This changes the Schism Agent file from default localhost to Operator IP pulled from facts./static/assets/linux-logo.svg


Download Jambi
A modular Powershell 3.0+ (POSH) agent for Windows /static/assets/windows-logo.svg


Copy files with Makecab
Makecab allows us to package existing files into a cabinet (.cab) file. This ability uses the binary to copy local and remote files or cabinets to the local system. /static/assets/windows-logo.svg


Is my host protected against ngrok?
Ngrok is a reverse proxy tool that provides secure tunnels over the Internet. Adversaries may use ngrok to tunnel traffic to their command and control servers. It's important to monitor for the presence of ngrok, as it may be used to bypass network security controls. This chain requires an ngrok account. The ngrok.token fact must be set to your ngrok token available in the ngrok dashboard. Warning: This TTP will expose the host to the Internet. /static/assets/apple-logo.svg/static/assets/windows-logo.svg/static/assets/linux-logo.svg


Powerkatz Pass-the-Hash
Mimikatz is usually regarded as a credential dumper but there are other use-cases. Here, the tool is used to Pass-the-Hash, leveraging the SC service to copy the agent to another computer in the domain. Passing the hash allows the agent to conduct the copy command without knowing the password but instead uses a password hash to "pass" the authentication along. /static/assets/windows-logo.svg


WMI Ransomware Distribution
WMIC is the abbreviation of Windows Management Interface Command, is a simple command prompt tool that returns information about the system you are running it on. Here we start a WMIC process to copy the agent to another domain computer, dropping it into the temp directory. /static/assets/windows-logo.svg


Spread worm using private keys found on the machine.
With the SSH private keys found, we can attempt to ssh in as root using these keys allowing us to install a pneuma backdoor and execute the worm. /static/assets/linux-logo.svg


Initiate RDP connection
Remote Desktop Protocol is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection. This procedure leverages RDP to execute a command on a remote computer. /static/assets/windows-logo.svg


Copy agent to shared drive
Most Windows computers have a temp directory available as a network share. If accessible internally, this drive can be used to copy malicious files across the network. The start command can be used to initiate a new terminal command prompt to execute this action concurrently. /static/assets/windows-logo.svg


Copy Pneuma to remote system
Copy a UPX packed Pneuma payload to a remote system using PSExec. /static/assets/windows-logo.svg


Exploit SMBv1 service
Use EternalBlue and DoublePulsar to exploit SMBv1 service/static/assets/windows-logo.svg/static/assets/apple-logo.svg/static/assets/linux-logo.svg


Pass-The-Ticket with Rubeus
Pass-the-ticket attack is a well-known method of impersonating users on an AD domain. AD typically uses Kerberos to provides single sign-on and SSO. If we have access to Kerberos tickets in the form of a .kirbi file, we will be able to import it using Rubeus. This TTP will import tickets exported by Mimikatz. /static/assets/windows-logo.svg


Provides access to target shared resources
This is required to run so that you have access to target host C drive to copy content over. /static/assets/windows-logo.svg