Skip to content


SHOTPUT is a custom backdoor used by APT3. 1

Item Value
ID S0063
Associated Names Backdoor.APT.CookieCutter, Pirpi
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Backdoor.APT.CookieCutter 2
Pirpi 2

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account SHOTPUT has a command to retrieve information about connected users.3
enterprise T1083 File and Directory Discovery SHOTPUT has a command to obtain a directory listing.3
enterprise T1027 Obfuscated Files or Information SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.13
enterprise T1057 Process Discovery SHOTPUT has a command to obtain a process listing.3
enterprise T1018 Remote System Discovery SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.3
enterprise T1049 System Network Connections Discovery SHOTPUT uses netstat to list TCP connection status.3

Groups That Use This Software

ID Name References
G0022 APT3 1


Back to top