Prelude TTP browser
Below, you can view, filter and make use of more than 683 TTPs that have been developed, tested, and published by Prelude.Release Date (Newest)
Filter
Search for chains, TTPs, themes, and text
Browse By:
All
Linux
Darwin
Windows
Global
Android
All
T1611
Is my Docker container vulnerable to RDMA cgroup controller escape?
Containers that are running in privileged mode or with SYS_ADMIN capability may be vulnerable to a privilege escalation and container escape. This TTP attempts to mount the RDMA cgroup controller and configure the release_agent to execute an arbitrary script as the root user. It is important that containers are not running in privileged mode, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container.
T1611
Is my Docker container vulnerable to cgroup controller escape?
Containers that are running in privileged mode may be vulnerable to a privilege escalation and container escape. This TTP attempts to configure a cgroup controller release_agent to execute an arbitrary script as the root user. It is important that containers are not running in privileged mode, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container.
T1611
Is my Docker container vulnerable to hostPID privilege escalation?
Containers that are running in privileged mode and have the hostPID flag enabled are vulnerable to a privilege escalation and container escape to the host system. This TTP attempts to use nsenter to enter the namespace of the init system process (PID 1) on the host to spawn a root shell. It is important that containers are not running in privileged mode, as adversaries may establish persistence by modifying mounted files, elevate privileges, and escape the container.
T1203
Is Atlassian Bitbucket Server or Data Center patched against CVE-2022-36804?
In Atlassian Bitbucket Server and Data Center there is a command injection vulnerability in multiple API endpoints. This TTP sends a curl request that will attempt to execute a command `cat /etc/passwd` on the remote host. An attacker with read permissions on a public or private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.
T1055.003
Process injection via Thread Hijacking
This TTP will create a notepad process and hijack one of the threads. The hijacked thread will be suspended and have its instruction pointer changed to the address of the shellcode; when the thread is resumed, `calc.exe` will be launched.
T1055.002
API unhooking via Perun's Fart
This TTP will create a new process in a suspended state, create a clean version of `ntdll.dll`, and overwrite the `ntdll.dll` from the current process to unhook it. After `ntdll.dll` is unhooked, the shellcode is executed to spawn calc.exe.
T1055.004
Process injection via UserAPC Queuing
This TTP will launch a notepad process and queue a user-mode asynchronous procedure call, that should launch calc.exe when the thread is resumed.
T1055.002
Process injection via CreateRemoteThread
This TTP will launch a notepad process and then inject shellcode into it. When the shellcode is executed, it will launch a new calc.exe process and crash notepad.
T1204.002
Are MOUSEISLAND malware procedures mitigated on this host?
CISA released an advisory in August 2022 on MOUSEISLAND, which is classified as a macro downloader. This TTP downloads a ZIP file, extracts it, and if MS Office is installed then attempts to run it. The macro attempts to download an EICAR file. Protection from MOUSEISLAND is important because this malware serves as the initial phase for ransomware.
T1204.002
Are Ursnif malware procedures mitigated on this host?
CISA released an advisory in August 2022 on Ursnif malware, a banking trojan that steals financial data. This TTP uses Ursnif's methods of collecting system information and executing staged binaries. AZOrult may steal user account information, including passwords and credentials.
T1204.002
Are GootLoader malware procedures mitigated on this host?
CISA released an advisory in August 2022 on GootLoader, a malware loader. This TTP uses GootLoader's methods of downloading a JScript file within a Zip file, using Wscript to execute the JS file to add specific registry keys, reflectively loading a non-existent DLL, and creating a scheduled task for persistence. GootLoader may deploy Cobalt Strike Beacons, deploy banking Trojans, and even ransomware.
T1204.002
Are AZOrult malware procedures mitigated on this host?
CISA released an advisory in August 2022 on AZOrult malware, which could allow an attacker to steal information from compromised devices. This TTP uses AZOrult's methods of disabling Windows Defender and enabling persistence through a scheduled task. AZOrult may steal user account information, including passwords and credentials.
T1056.001
Can this host mitigate procedures used in FormBook malware?
CISA released an advisory in August 2022 on FormBook malware which can steal victims' information. This TTP captures keystrokes and clipboard data and logs it to a temporary file. Protection from keyloggers is essential because this type of malware may steal user account credentials or sensitive information.
T1003
Can this host mitigate procedures used in LokiBot malware?
CISA released an advisory in August 2022 on LokiBot malware, which can steal victims' information. This TTP emulates LokiBot's collection of browser information and stored credentials. Protection from credential dumping is essential because malware may steal account credentials to gain access to information for use in lateral movement and privilege escalation.
T1204.002
Is this host protected from NanoCore RAT?
CISA released an advisory in August 2022 on NanoCore RAT, which could allow an attacker to control a victim's machine. This TTP uses NanoCore's methods of adding a NanoCore exclusion in Windows Defender and enabling persistence through a scheduled task. NanoCore RAT may steal user account information, including passwords and credentials.
T1074
Is this host protected from Qakbot?
CISA released an advisory in August 2022 on Qakbot, which has been observed as a banking trojan and used to form botnets. This TTP creates a scheduled task, modifies the registry, and creates a staging folder to emulate data collection and exfiltration. Protection from Qakbot is important because this malware serves as a delivery agent for ransomware.
T1203
Is CVE-2022-29464 patched on this host?
Certain WSO2 products allow unrestricted file uploads, resulting in remote code execution. This TTP attempts to upload a web shell on the WS02 API Manager server using a specially crafted POST request. An attacker can leverage this vulnerability to modify the filesystem or gain remote code execution on the affected server.
T1203
Is CVE-2022-22947 patched on this host?
In Spring Cloud Gateway, the actuator endpoint is vulnerable to an arbitrary code execution attack in versions before 3.1.1+ and 3.0.7+. This TTP sends a curl request that will attempt to publish a new endpoint and run the 'id' command on the remote host. A remote attacker could make a maliciously crafted request that allows arbitrary code execution on the remote host.
T1203
Is CVE-2022-0543 patched on this host?
CVE-2022-0543 is a Lua sandbox escape in Redis that may result in arbitrary code execution. This TTP exploits the vulnerability via a specially crafted Redis client command. Patching CVE-2022-0543 is essential because an unauthenticated user may exploit this vulnerability to run arbitrary code on the system.
CVE-2022-33891
Is CVE-2022-33891 patched on this host?
Apache Spark configured with spark.acls.enable set to true is vulnerable to remote code execution via the doAs paramater.
This TTP attempts to access the doAs paramater, if it does successfully then it will attempt to run a shell command.
This exploit is very easy to use, reliable and effects many Apache Spark versions.
T1486
Is this host protected from Maui Ransomware?
CISA released an advisory in July 2022 on Maui ransomware which has been used by North Korean state-sponsored actors since at least May 2021 to encrypt files in infected hosts. This TTP uses a defanged (non-malicious) version of Maui which can be used to check if the ransomware is detected. Endpoint detection should identify Maui ransomware samples and respond before they can cause damage.
CVE-2022-22965
Is CVE-2022-22965 patched on this host?
Spring Core Framework before 5.13.18 or 5.2.20 is vulnerable to a remote code execution vulnerability.
This TTP sends a few cURL requests installing a backdoor temporarily. If the backdoor is installed and commands
can be executed you will be deemed vulnerable. You should be able to idenitfy and
remediate a backdoor that can execute shell commands that has been installed on your network.
T1486
Are you protected against Ryuk Ransomware?
Ryuk is a ransomware binary that encrypts file systems. This TTP uses a defanged (non-malicious) version of
Ryuk which can be used to check if replaying the attack is shut down by any endpoint defense.
This is important because defenses should detect the artifacts created by Ryuk and respond before it can cause damage.
CVE-2021-41773
Is Apache HTTP vulnerable to remote code execution?
Apache HTTP version 2.4.49 does not normalize paths correctly allowing an attacker to execute arbitrary code. This TTP sends a cURL request containing the 'uname -a' command, which is executed by '/bin/sh' via Apache's 'mod_cgi'. If this matches the local box's 'uname -a' output, then the CVE was successfully exploited.
CVE-2021-3156
Are you vulnerable to Baron Samedit?
Baron SamEdit is a vulnerability in sudoedit that allowed for a heap based buffer overflow which escalated low privileged users to root.
In this TTP we check the version and test a buffer overflow, if no "Segmentation Fault" appears, you are not vulnerable.
CVE-2021-41773
Is Apache HTTP vulnerable to path traversal?
Apache HTTP version 2.4.49 does not normalize paths correctly allowing an attacker to traverse filepaths on the server. This TTP sends a cURL request containing the location of '/etc/passwd'. If the response matches the output from the local box's '/etc/passwd', then the CVE was successfully exploited.
T1608.002
Launch a gost server
Launches a gost (Go simple tunnel) socks5 proxy server with a user specified port and log to a gost_server.log file.
T1572
Launch a gost client
Launch a gost (Go simple tunnel) client and connect to a specified gost socks5 proxy server. Network traffic sent to the local gost client port will be proxied through the specified gost server.
T1588.002
Install Metasploit Framework
Automatically install Metasploit framework and initalize the database with defaults. This can be used to run metasploit
modules from the staging server via an agent.
T1068
Spawn elevated Pneuma via CVE-2021-3490 (eBPF)
Spawn a beacon using the (eBPF vulnerability) identified in CVE-2021-3490.The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution.
Follow @preludeorg on Twitter for new chains and more.
Join the Prelude Discord to discuss chains and more.
Keep up to date with code changes and community activity on Github