Pupy

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]

ID: S0192
Type: TOOL
Platforms: Linux, Windows, macOS, Android

Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationPupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.[1]
EnterpriseT1087Account DiscoveryPupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.[1]
EnterpriseT1123Audio CapturePupy can record sound with the microphone.[1]
EnterpriseT1088Bypass User Account ControlPupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.[1]
EnterpriseT1136Create AccountPupy can user PowerView to perform “net user” commands and create local system and domain accounts.[1]
EnterpriseT1003Credential DumpingPupy executes Mimikatz using PowerShell and can also perform pass-the-ticket and use Lazagne for harvesting credentials.[1]
EnterpriseT1002Data CompressedPupy can compress data with Zip before sending it over C2.[1]
EnterpriseT1114Email CollectionPupy can interact with a victim’s Outlook session and look through folders and emails.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelPupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.[1]
EnterpriseT1083File and Directory DiscoveryPupy can walk through directories and recursively search for strings in files.[1]
EnterpriseT1070Indicator Removal on HostPupy has a module to clear event logs with PowerShell.[1]
EnterpriseT1056Input CapturePupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.[1]
EnterpriseT1171LLMNR/NBT-NS Poisoning and RelayPupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.[1]
EnterpriseT1079Multilayer EncryptionPupy can use Obfs3, a pluggable transport, to add another layer of encryption and obfuscate TLS.[1]
EnterpriseT1046Network Service ScanningPupy has a built-in module for port scanning.[1]
EnterpriseT1135Network Share DiscoveryPupy can list local and remote shared drives and folders over SMB.[1]
EnterpriseT1086PowerShellPupy has a module for loading and executing PowerShell scripts.[1]
EnterpriseT1057Process DiscoveryPupy can list the running processes and get the process ID and parent process’s ID.[1]
EnterpriseT1055Process InjectionPupy can migrate into another process using reflective DLL injection.[1]
EnterpriseT1060Registry Run Keys / Startup FolderPupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.[1]
EnterpriseT1076Remote Desktop ProtocolPupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.[1]
EnterpriseT1105Remote File CopyPupy can upload and download to/from a victim machine.[1]
EnterpriseT1113Screen CapturePupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.[1]
EnterpriseT1064ScriptingPupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.[1]
EnterpriseT1035Service ExecutionPupy uses PsExec to execute a payload or commands on a remote host.[1]
EnterpriseT1071Standard Application Layer ProtocolPupy can communicate over HTTP for C2.[1]
EnterpriseT1032Standard Cryptographic ProtocolPupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.[1]
EnterpriseT1082System Information DiscoveryPupy can grab a system’s information including the OS version, architecture, etc.[1]
EnterpriseT1016System Network Configuration DiscoveryPupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.[1]
EnterpriseT1049System Network Connections DiscoveryPupy has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.[1]
EnterpriseT1033System Owner/User DiscoveryPupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.[1]
EnterpriseT1501Systemd ServicePupy can be used to establish persistence using a systemd service.[1]
EnterpriseT1125Video CapturePupy can access a connected webcam and capture pictures.[1]
EnterpriseT1497Virtualization/Sandbox EvasionPupy has a module to check if its running on a virtual machine.[1]

Groups

Groups that use this software:

APT33
Magic Hound

References