Skip to content

S0192 Pupy

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. 1 It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). 1 Pupy is publicly available on GitHub. 1

Item Value
ID S0192
Associated Names
Version 1.2
Created 18 April 2018
Last Modified 13 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.1
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.1
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.1
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Pupy can communicate over HTTP for C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Pupy can compress data with Zip before sending it over C2.1
enterprise T1123 Audio Capture Pupy can record sound with the microphone.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Pupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run for persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Pupy has a module for loading and executing PowerShell scripts.1
enterprise T1059.006 Python Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Pupy can user PowerView to execute “net user” commands and create local system accounts.1
enterprise T1136.002 Domain Account Pupy can user PowerView to execute “net user” commands and create domain accounts.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service Pupy can be used to establish persistence using a systemd service.1
enterprise T1555 Credentials from Password Stores Pupy can use Lazagne for harvesting credentials.1
enterprise T1555.003 Credentials from Web Browsers Pupy can use Lazagne for harvesting credentials.1
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection Pupy can interact with a victim’s Outlook session and look through folders and emails.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Pupy‘s default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.1
enterprise T1041 Exfiltration Over C2 Channel Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.1
enterprise T1083 File and Directory Discovery Pupy can walk through directories and recursively search for strings in files.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Pupy has a module to clear event logs with PowerShell.1
enterprise T1105 Ingress Tool Transfer Pupy can upload and download to/from a victim machine.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.1
enterprise T1046 Network Service Discovery Pupy has a built-in module for port scanning.1
enterprise T1135 Network Share Discovery Pupy can list local and remote shared drives and folders over SMB.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Pupy can execute Lazagne as well as Mimikatz using PowerShell.1
enterprise T1003.004 LSA Secrets Pupy can use Lazagne for harvesting credentials.1
enterprise T1003.005 Cached Domain Credentials Pupy can use Lazagne for harvesting credentials.1
enterprise T1057 Process Discovery Pupy can list the running processes and get the process ID and parent process’s ID.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Pupy can migrate into another process using reflective DLL injection.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.1
enterprise T1113 Screen Capture Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.1
enterprise T1082 System Information Discovery Pupy can grab a system’s information including the OS version, architecture, etc.1
enterprise T1016 System Network Configuration Discovery Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.1
enterprise T1049 System Network Connections Discovery Pupy has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.1
enterprise T1033 System Owner/User Discovery Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Pupy uses PsExec to execute a payload or commands on a remote host.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Pupy can use Lazagne for harvesting credentials.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.003 Pass the Ticket Pupy can also perform pass-the-ticket.1
enterprise T1125 Video Capture Pupy can access a connected webcam and capture pictures.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.1

Groups That Use This Software

ID Name References
G0059 Magic Hound 234
G0064 APT33 5