Prelude TTP browser
Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.Release Date (Newest)
Filter
Search for chains, TTPs, themes, and text
Browse By:
All
Linux
Darwin
Windows
Global
Android
All
T1037.005
Execute startup folder persistence
Sets credentials for a headless RDP session to spawn triggering startup folder persistence.
T1021.002
Copy agent over SMB
Server Message Block (SMB) can be used to make file systems and resources available to other systems in network environments.
This ability mounts a remote network share and copies an agent file to that directory on the remote system.
T1569.002
Run remote command using PsExec
Using compiled psexec to achieve remote code execution using the service execution methods.
T1570
Conti agent lateral movement
This will use WMIC to move the agent on current compermised host to user defined target host.
T1068
Run an elevated Pneuma instance using CVE-2019-14287
A problem in the way sudo implemented executing commands with arbitrary user IDs was discovered. If a sudoers item is created to let the attacker to perform a command as any user other than root, the attacker can use this issue to circumvent that restriction.
In this TTP we exploit this vulnerability to run an elevated Pneuma instance.
T1134.001
PowerSploit Named-Pipe Impersonation
A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients.
Named pipes can be used to provide communication between processes on the same computer or between processes on
different computers across a network. This procedure uses PowerSploit to conduct a named-pipe impersonation.
T1548.001
Compile malicious binary using vulnerable SUID
After identifying SUID binaries, we are able to compile and modify
permissions of the binary to allow it to execute as root.
T1548.002
UAC Bypass via Backup Utility
Modify registry values of sdclt to bypass User Account Control (UAC) via auto-elevation.
T1611
Is my Kubernetes pod protected against host mounting?
In privileged mode, Kubernetes pods can mount the host filesystem and may be subject to container escape. This chain attempts to mount the host filesystem to test whether the host is vulnerable to a container escape. It is critical that pods are not able to mount the host filesystem, as attackers may create persistence by altering mounted files, elevating privileges, and escaping the container.
T1068
Exploit ZeroLogon vulnerability to gain Domain Admin
Stages and executes Mimikatz's ZeroLogon module to gain domain admin.
T1548.004
Spawn elevated Pneuma via UAC prompt
Use UAC prompt to Spawn an elevated PneumaEX session.
T1068
Exploit PrintNightmare vulnerability to add local administrator
Stages and executes Invoke-Nightmare used by Conti to gain local admin.
T1611
Escape Docker container using Docker socket
The docker.sock UNIX socket is used by the Docker daemon for the acessing the Docker API. This TTP determines if a Docker socket escape via docker.sock is possible. An attacker may be able to escape the container if the Docker socket is mounted in it.
T1548.002
Set registry value for Wsreset
Set registry value at HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command to run something
elevated using wsreset.exe.
T1068
Spawn elevated Pneuma via CVE-2021-33909 (Sequoia)
Spawn a beacon using the (Sequoia) identified in CVE-2021-3156. fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. You need 1 million free inodes available in the directory where you execute the exploit payload. Using the home directory yields highest probability of success.
T1548.001
Spawn elevated Pneuma and relocate agent binary
We execute pneuma agent as root and move it's location to /bin/pneuma to prepare for persistence.
T1611
Is this host vulnerable to privilege escalation through an unprotected Docker daemon?
Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail. This TTP mounts the hosts root directory inside the container's /mnt directory and runs schism as root on the host machine.
T1548.002
Escalate a binary with Wsreset
Used to reset Windows Store settings according to its manifest file. Modify the default registry value at
HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command to run something elevated.
T1548.002
Spawn agent using Event Viewer UAC Bypass
During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location
of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is
added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to
the user.
T1078.003
Spawn root agent
Start a new agent as the root user
T1543
Take ownership of docker containers
If the current user context has write permissions to the docker.sock unix socket file, we are able to take complete ownership
of all dockers running on the system and perform arbitrary docker daemon/CLI commands against all containers. This is accomplished
by creating a new docker container, passing in the docker.sock file descriptor, then installing dockerd inside the container. From
there we can run docker commands in any container.
T1611
Is my Docker container vulnerable to host filesystem mounting?
Containers that can mount the host filesystem may be vulnerable to a container escape. This TTP attempts to mount the host filesystem and identify a root directory. It is important that containers cannot mount the host filesystem, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container.
T1470
Stage mobile device backup
Perform a full mobile device back-up to a file and stage it in a directory.
Follow @preludeorg on Twitter for new chains and more.
Join the Prelude Discord to discuss chains and more.
Keep up to date with code changes and community activity on Github