Prelude TTP browser
Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.Release Date (Newest)
Filter
Search for chains, TTPs, themes, and text
Browse By:
All
Linux
Darwin
Windows
Global
Android
All
T1074.001
Stage files on desktop
Desktops are quickly accessible via a remote desktop session, so sometimes it makes sense to stage files on a user’s
desktop prior to exfiltrating them. While there are better locations (like the recycling bin/trash or A/V exempted
folders), the ease of accessibility sometimes takes priority over subtlety.
T1005
Create a crypto key
Creates a crypto key in a temporary directory for later exfiltration or usage.
T1562.001
Unhook ntdll.dll EDR hooks via remapping
Many EDR tools inject custom DLLs into Windows processes to "hook" system calls for
analysis. One method an attacker can use to bypass those hooks is through remapping the .text section of the in-memory
ntdll.dll module with the on-disk .text section. This essentially removes all of the EDR's hooks by replacing them with
the correct versions of the original system call stubs. This approach is fairly common in C++, so this version uses P/invoke
to load the unmanaged code for unhooking. Thanks to @makosec and @spotheplant for excellent resources (see attached
metadata for references).
T1112
Create specific registry key in HKLM
Import a registry key to the HKLM to support prelude DLL execution abilities. Export the target Registry key and save
it to the specified .REG file within an alternate data stream.
T1574.002
Side-load Pneuma using Windows Defender
Run the vulnerable MsMpEng.exe executable with a Pneuma DLL in the same folder to perform a DLL side-load of Pneuma.
T1140
Decode files with Certutil
This Windows binary used for handling certificates can also be used to decode base64 and hexidecimal files.
T1027.004
Compile CSharp code on target
Use the built in DotNet compiler to compile a CSharp payload on the target system. This is useful to avoid writing
binary payloads directly to a target system (which can often be signatured or otherwise impossible to achieve).
T1558.003
Dump hashes for kerberoastable accounts to disk
Attempts to request tickets for keberoastable accounts and dumps the extracted hashes to a file.
T1486
Recursively encrypt a directory
Encrypt all of the files in a directory using a custom payload. This will save all files it encrypts with
the extension '.encrypted-operator'.`
T1485
Remove ransomed files from disk
Cleanup all the encrypted and decrypted files containing the suffixes ".encrypted-operator" and ".decrypted-operator".
It can easily be modified to target all files, specific extensions, and so on, to delete files off a disk.
T1491.001
Leave encrypted data recovery note
Leave a note on the users desktop with instructions on how to decrypt and recover their data.
T1566.001
Stage a phish email in downloads folder
Create a fake email that contains a link to an Excel document containing a malicious macro. If the user opens the macro, it will download a Pneuma payload (on Windows) and open a modal explaining they have accidentally installed malware.
T1136.001
Create root user in /etc/passwd via CVE-2021-3156
Create a root persistence user account "prelude" via the Heap-Based Buffer Overflow in Sudo (Baron Samedit) identified
in CVE-2021-3156. Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow,
which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash
character. This appends a line to /etc/passwd so you can later `su prelude` using the generated password.
T1546.007
Netsh helper dll persistence
Download a custom DLL that can be attached to netsh as a helper that will call a value stored in the registry
whenever netsh is run. The DLL will make a system() call for whatever value is stored in the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Prelude\Operator
key with the name `bin_path` (so bin_path with a string `C:\\Windows\\System32\\cmd.exe` for example). The DLL itself
uses the SysWhispers project to create a customer wrapper to NtCreateThreadEx to bypass API hooks by EDR products. Persistence
triggers any time netsh is run.
T1104
Stage agent configuration file
Place a JSON configuration file on disk that new agent processes can reference when launching.
T1105
Stage a CSharp script in a temporary directory
Stage a CSharp script in a local temporary file either via a built-in script or a specified URI. The provided example
will spawn a command prompt process.
T1105
Ingress an encoded Pneuma DLL with the ServiceCrtMain function exported
Download and stage a base64 encoded 32-bit Pnuema DLL on the target system.
T1105
Ingress vulnerable Windows Defender binary
Ingress a vulnerable version of Windows Defender Antimalware Service Executable (4.5.218.0) that can side-load
a properly formatted Dynamic-link Library (DLL) that exports the function ServiceCrtMain.
T1105
Ingress Pneuma DLL with exported LaunchPneuma function
Download and stage a dynamic-link library (DLL) version of Pneuma.
T1068
Spawn elevated pneuma via CVE-2021-3156
Spawn a beacon using the Heap-Based Buffer Overflow in Sudo (Baron Samedit) identified in CVE-2021-3156. Sudo before 1.9.5p2
contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root
via "sudoedit -s" and a command-line argument ending with a single backslash character.
T1068
Exploit PrintNightmare vulnerability to spawn elevated agent
Exploit the PrintNightmare vulnerability using a custom driver DLL containing a CreateProcess call that launches a Pneuma
DLL as NT AUTHORITY/SYSTEM via rundll32.exe.
T1074.001
Copy file with Esentutl
Copies an existing file path to new directory with same name, using the esentutl.exe utility.
T1059.002
Stage pneuma via applescript pop-up
Present the user with an infinitely looping prompt that forces the user to select Report a problem. If the user does this,
a Pneuma agent is downloaded on their system. The correct way to avoid this is by reaching out to IT or manually killing
the prompt process.
T1548.003
Enumerate sudoers data
Runs two commands to enumerate the current users sudo permissions and also dumps the /etc/sudoers file for the system
T1056.002
Prompt for user credentials
Displays a user authentication prompt to trick the user into providing their credentials to dump them in plaintext JSON.
T1565.003
Alert user of compromised credentials
Display an alert to the user explaining that they have fallen victim to a credential access technique and their plaintext
credentials have been collected.
T1105
Stage credential prompt script
Ingress a script that can be used to make a GUI prompt to trick a user into providing their plain-text credentials.
T1105
Stage obfuscated script payload
Ingress a payload that overwrites (or clones) a target payload and replaces it with a redirect to launch a script of some
kind. This script allows you spawn new agents (or display alerts) by tricking users into double-clicking on files they
assumed was the original file.
T1083
Find a random system executable
Look inside system folders (like System32, or /bin/) for executables the current user has Read and Execute permissions on.
T1087.002
Run SharpHound collector
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This downloads a SharpHound
payload to disk and run it locally.
Follow @preludeorg on Twitter for new chains and more.
Join the Prelude Discord to discuss chains and more.
Keep up to date with code changes and community activity on Github