Pupy
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.(Citation: GitHub Pupy) |
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.(Citation: GitHub Pupy) |
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.(Citation: GitHub Pupy) |
Enterprise | T1557 | .001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.(Citation: GitHub Pupy) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Pupy can communicate over HTTP for C2.(Citation: GitHub Pupy) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Pupy can compress data with Zip before sending it over C2.(Citation: GitHub Pupy) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Pupy adds itself to the startup folder or adds itself to the Registry key |
.013 | Boot or Logon Autostart Execution: XDG Autostart Entries |
Pupy can use an XDG Autostart to establish persistence.(Citation: Red Canary Netwire Linux 2022) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Pupy has a module for loading and executing PowerShell scripts.(Citation: GitHub Pupy) |
.006 | Command and Scripting Interpreter: Python |
Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.(Citation: GitHub Pupy) |
||
Enterprise | T1136 | .001 | Create Account: Local Account |
Pupy can user PowerView to execute “net user” commands and create local system accounts.(Citation: GitHub Pupy) |
.002 | Create Account: Domain Account |
Pupy can user PowerView to execute “net user” commands and create domain accounts.(Citation: GitHub Pupy) |
||
Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
Pupy can be used to establish persistence using a systemd service.(Citation: GitHub Pupy) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Pupy can interact with a victim’s Outlook session and look through folders and emails.(Citation: GitHub Pupy) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.(Citation: GitHub Pupy) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Pupy has a module to clear event logs with PowerShell.(Citation: GitHub Pupy) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.(Citation: GitHub Pupy) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Pupy can execute Lazagne as well as Mimikatz using PowerShell.(Citation: GitHub Pupy) |
.004 | OS Credential Dumping: LSA Secrets |
Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
||
.005 | OS Credential Dumping: Cached Domain Credentials |
Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Pupy can migrate into another process using reflective DLL injection.(Citation: GitHub Pupy) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.(Citation: GitHub Pupy) |
Enterprise | T1569 | .002 | System Services: Service Execution |
Pupy uses PsExec to execute a payload or commands on a remote host.(Citation: GitHub Pupy) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy) |
Enterprise | T1550 | .003 | Use Alternate Authentication Material: Pass the Ticket |
Pupy can also perform pass-the-ticket.(Citation: GitHub Pupy) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.(Citation: GitHub Pupy) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0059 | Magic Hound |
(Citation: Unit 42 Magic Hound Feb 2017) (Citation: FireEye APT35 2018) (Citation: Secureworks Cobalt Gypsy Feb 2017) |
G0064 | APT33 |
(Citation: FireEye APT33 Guardrail) |
References
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- TONY LAMBERT. (2022, June 7). Trapping the Netwire RAT on Linux. Retrieved September 28, 2023.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.