Prelude TTP browser
Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.Release Date (Newest)
Filter
Search for chains, TTPs, themes, and text
Browse By:
All
Linux
Darwin
Windows
Global
Android
All
T1544
Download pneuma
Pneuma is an open-source agent which accompanies the Prelude platform. This procedure downloads the agent to disk
and starts it in the background.
T1059.004
Deploy a stage-0 JXA agent
Download and execute a JavaScript for Automation (JXA) agent.
T1554
Create a JXA Safari.app stager on the desktop
Create a persistence application that looks like Safari.app that will spawn a new beacon then launch Safari.app.
T1069
Permission Groups Discovery
Computer users are put into groups, which control their access on the computer. Identifying which groups
are assigned to the current user can show if they have administrator privileges or not.
T1018
Discover domain controller
A domain controller is a server in charge of authentication and configuration for a Windows domain. These
servers are "gold" to most hackers, so identifying where they are on the network is a common procedure.
T1074
Stage collected files
Copy files to a different directory. Hackers will often stage files instead of steal the original copies in order
to be less noticeable.
T1005
Find recent files
Locate files modified in the last 24 hours. Recently modified files typically mean they carry some significance and
a hacker can look for these instead of looking at each file on a system to determine worth.
T1074
Create new directory
Creating a staging directory is often a precursor to copying files into it. Hackers will do this in order to
exfiltrate important files without getting caught.
T1491
Leave note
Part of a ransomware attack may include leaving a note behind with instructions on how to pay the
ransom. This procedure emulates this behavior by dropping a note on the computer.
T1560.001
Compress staged directory
Compressing a directory has many purposes, mainly making the contents smaller and condensing them to a single file.
A hacker will tend to do this before trying to steal files from a computer because it is less noticeable to
steal a small file than a large number of bigger files.
T1018
Enumerate number of computers in the domain
Run a utility to enumerate various domain objects. This TTP can enumerate the number of computers within the domain.
T1083
List directories in current users home folder
This discovers directories inside the current user's home folder.
T1069
Enumerate domain administrator objects
Run a utility to enumerate various domain user objects. This TTP can enumerate Domain Admins within the domain.
T1069
Enumerate local administrators
Run a utility to enumerate various local objects. This TTP can enumerate members of the local administrators group on
the current system.
T1069
Enumerate enterprise administrator objects
Run a utility to enumerate various domain user objects. This TTP can enumerate Enterprise Admins within the domain.
T1018
Enumerate computers in the domain
A utility to enumerate various domain objects. This TTP can enumerate computers in the domain.
T1083
Find most recently accessed file in home directory
Identify the most recently accessed file in the active users home directory. This can be used to identify the users pattern of
life by understanding what kind of files they typically access.
T1012
Query registry for PrintNightmare vulnerable key
Query the HKLM hive for the key outlined in the PrintNightmare fix actions (CVE-2021-34527). If the NoWarningNoElevationOnInstall
is present - and set to 1 - for the HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint, a privilege escalation
path exists.
T1518
Identify sudo binary version
Determine the version of the sudo binary running on the target system. This is useful for identifying potentially exploitable
versions of the binary.
T1082
Check if specific patch is installed
Check if a specific HotFix ID is installed on the target. If it is, no output is created. If it isn't a json.NotInstalled.T1082
fact will be parsed from this output with the patch identifier.
T1518
Compare software versions for exploitation
A generic way to compare software versions on a target system to determine if the software version found on the system
is less or equal to a provided value `exploitable.version`. For example, if you want to the use the Baron Samedit chain,
you would compare against 1.9.5p1, which is the last version before the exploit was patched in 1.9.5p2.
T1018
Enumerate shares in the domain
Use a Powershell Empire script (from Powerview) to enumerate shares in the environment.
T1059
Launch executable with custom config
Launch an executable if the associated configuration file is present.
T1059
Archive exfiltration directory
Archive the exfiltration directory using built-in tools and libraries on the target platform.
T1059.004
Generate openssl passwd hash
Use on-target tools to generate a password hash for a provided password. This is useful in creating /etc/passwd persistence
accounts.
T1074.001
Back-up target file
Back up a specific file to preserve the original data. This is useful for replacing the target file with another file
or making modifications to the original while preserving data.
T1074
Create a staging directory
Different methodology for creating a staging directory.
T1074.001
Stage executable configuration file
Stage an executable configuration file for a target copied executable that loads and runs a DotNet assembly DLL by
overriding the InitializeNewDomain method with a custom application domain manager called MyAppDomainManager.
T1074.001
Recycle Bin Staging
menuPass actors are thought to have staged archives in the Recycle Bin for exfiltration. This will stage files in (Audio Capture or other)
either Trash or Recycling bins.
T1074.001
Copy certutil with random bytes
Copy certutil.exe to a new location and append random bytes to ensure the file hash is modified.
Follow @preludeorg on Twitter for new chains and more.
Join the Prelude Discord to discuss chains and more.
Keep up to date with code changes and community activity on Github