Software: Pupy

From enterprise
Jump to: navigation, search
ID S0192
Aliases Pupy
Type Tool
Platform Linux, Windows, macOS

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. 1 It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.).1 Pupy is publicly available on GitHub. 1

Techniques Used

  • Account Discovery - Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc. 1
  • Create Account - Pupy can user PowerView to perform “net user” commands and create local system and domain accounts.1
  • Credential Dumping - Pupy executes Mimikatz using PowerShell and can also perform pass-the-ticket and use Lazagne for harvesting credentials.1
  • Email Collection - Pupy can interact with a victim’s Outlook session and look through folders and emails.1
  • Input Capture - Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.1
  • LLMNR/NBT-NS Poisoning - Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.1
  • Multilayer Encryption - Pupy can use Obfs3, a pluggable transport, to add another layer of encryption and obfuscate TLS.1
  • PowerShell - Pupy has a module for loading and executing PowerShell scripts.1
  • Process Discovery - Pupy can list the running processes and get the process ID and parent process’s ID.1
  • Process Injection - Pupy can migrate into another process using reflective DLL injection.1
  • Registry Run Keys / Start Folder - Pupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.1
  • Remote Desktop Protocol - Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.1
  • Screen Capture - Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.1
  • Scripting - Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.1
  • System Network Connections Discovery - Pupy has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.1
  • Video Capture - Pupy can access a connected webcam and capture pictures.1


The following groups use this software:


  1. a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah ai  Nicolas Verdier. (n.d.). Retrieved January 29, 2018.