Prelude TTP browser

Prelude develops, tests and publishes important TTPs continuously. Below, you can view, filter and make use of more than 673 TTPs.

Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Linux
  • Darwin
  • Windows
  • Global
  • Android

Tactics & Techniques

  • All
  • Resource Development
  • Initial Access
  • Defense Evasion
  • Command And Control
  • Discovery
  • Collection
  • Persistence
  • Credential Access
  • Privilege Escalation
  • Lateral Movement
  • Execution
  • Exfiltration
  • Impact

Themes

Tags

Licenses

T1548.004

Spawn elevated Pneuma via UAC prompt
Use UAC prompt to Spawn an elevated PneumaEX session./static/assets/windows-logo.svg

T1068

Exploit PrintNightmare vulnerability to add local administrator
Stages and executes Invoke-Nightmare used by Conti to gain local admin./static/assets/windows-logo.svg

T1611

Escape Docker container using Docker socket
The docker.sock UNIX socket is used by the Docker daemon for the acessing the Docker API. This TTP determines if a Docker socket escape via docker.sock is possible. An attacker may be able to escape the container if the Docker socket is mounted in it. /static/assets/terminal-logo.svg

T1548.002

Set registry value for Wsreset
Set registry value at HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command to run something elevated using wsreset.exe. /static/assets/windows-logo.svg

T1068

Spawn elevated Pneuma via CVE-2021-33909 (Sequoia)
Spawn a beacon using the (Sequoia) identified in CVE-2021-3156. fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. You need 1 million free inodes available in the directory where you execute the exploit payload. Using the home directory yields highest probability of success./static/assets/linux-logo.svg

T1548.001

Spawn elevated Pneuma and relocate agent binary
We execute pneuma agent as root and move it's location to /bin/pneuma to prepare for persistence. /static/assets/linux-logo.svg

T1611

Is this host vulnerable to privilege escalation through an unprotected Docker daemon?
Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail. This TTP mounts the hosts root directory inside the container's /mnt directory and runs schism as root on the host machine. /static/assets/linux-logo.svg

T1548.002

Escalate a binary with Wsreset
Used to reset Windows Store settings according to its manifest file. Modify the default registry value at HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command to run something elevated. /static/assets/windows-logo.svg

T1548.002

Spawn agent using Event Viewer UAC Bypass
During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. /static/assets/windows-logo.svg

T1078.003

Spawn root agent
Start a new agent as the root user/static/assets/apple-logo.svg

T1543

Take ownership of docker containers
If the current user context has write permissions to the docker.sock unix socket file, we are able to take complete ownership of all dockers running on the system and perform arbitrary docker daemon/CLI commands against all containers. This is accomplished by creating a new docker container, passing in the docker.sock file descriptor, then installing dockerd inside the container. From there we can run docker commands in any container. /static/assets/linux-logo.svg

T1611

Is my Docker container vulnerable to host filesystem mounting?
Containers that can mount the host filesystem may be vulnerable to a container escape. This TTP attempts to mount the host filesystem and identify a root directory. It is important that containers cannot mount the host filesystem, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container. /static/assets/linux-logo.svg

T1470

Stage mobile device backup
Perform a full mobile device back-up to a file and stage it in a directory./static/assets/android-logo.svg