S0192 Pupy
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. 1 It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). 1 Pupy is publicly available on GitHub. 1
| Item | Value |
|---|---|
| ID | S0192 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 18 April 2018 |
| Last Modified | 13 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.1 |
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.001 | Token Impersonation/Theft | Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.1 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.1 |
| enterprise | T1557 | Adversary-in-the-Middle | - |
| enterprise | T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Pupy can communicate over HTTP for C2.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Pupy can compress data with Zip before sending it over C2.1 |
| enterprise | T1123 | Audio Capture | Pupy can record sound with the microphone.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Pupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run for persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Pupy has a module for loading and executing PowerShell scripts.1 |
| enterprise | T1059.006 | Python | Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.1 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | Pupy can user PowerView to execute “net user” commands and create local system accounts.1 |
| enterprise | T1136.002 | Domain Account | Pupy can user PowerView to execute “net user” commands and create domain accounts.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.002 | Systemd Service | Pupy can be used to establish persistence using a systemd service.1 |
| enterprise | T1555 | Credentials from Password Stores | Pupy can use Lazagne for harvesting credentials.1 |
| enterprise | T1555.003 | Credentials from Web Browsers | Pupy can use Lazagne for harvesting credentials.1 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | Pupy can interact with a victim’s Outlook session and look through folders and emails.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Pupy‘s default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.1 |
| enterprise | T1083 | File and Directory Discovery | Pupy can walk through directories and recursively search for strings in files.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | Pupy has a module to clear event logs with PowerShell.1 |
| enterprise | T1105 | Ingress Tool Transfer | Pupy can upload and download to/from a victim machine.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.1 |
| enterprise | T1046 | Network Service Discovery | Pupy has a built-in module for port scanning.1 |
| enterprise | T1135 | Network Share Discovery | Pupy can list local and remote shared drives and folders over SMB.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Pupy can execute Lazagne as well as Mimikatz using PowerShell.1 |
| enterprise | T1003.004 | LSA Secrets | Pupy can use Lazagne for harvesting credentials.1 |
| enterprise | T1003.005 | Cached Domain Credentials | Pupy can use Lazagne for harvesting credentials.1 |
| enterprise | T1057 | Process Discovery | Pupy can list the running processes and get the process ID and parent process’s ID.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Pupy can migrate into another process using reflective DLL injection.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.1 |
| enterprise | T1113 | Screen Capture | Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.1 |
| enterprise | T1082 | System Information Discovery | Pupy can grab a system’s information including the OS version, architecture, etc.1 |
| enterprise | T1016 | System Network Configuration Discovery | Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.1 |
| enterprise | T1049 | System Network Connections Discovery | Pupy has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.1 |
| enterprise | T1033 | System Owner/User Discovery | Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Pupy uses PsExec to execute a payload or commands on a remote host.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Pupy can use Lazagne for harvesting credentials.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.003 | Pass the Ticket | Pupy can also perform pass-the-ticket.1 |
| enterprise | T1125 | Video Capture | Pupy can access a connected webcam and capture pictures.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0059 | Magic Hound | 234 |
| G0064 | APT33 | 5 |
References
-
Nicolas Verdier. (n.d.). Retrieved January 29, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. ↩
-
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. ↩
-
Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017. ↩
-
Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. ↩