Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Pupy

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) Pupy is publicly available on GitHub. (Citation: GitHub Pupy)
ID: S0192
Type: TOOL
Platforms: Windows
Version: 1.3
Created: 18 Apr 2018
Last Modified: 28 Sep 2023

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.(Citation: GitHub Pupy)

Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.(Citation: GitHub Pupy)

Enterprise T1087 .001 Account Discovery: Local Account

Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.(Citation: GitHub Pupy)

Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.(Citation: GitHub Pupy)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Pupy can communicate over HTTP for C2.(Citation: GitHub Pupy)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Pupy can compress data with Zip before sending it over C2.(Citation: GitHub Pupy)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Pupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.(Citation: GitHub Pupy)

.013 Boot or Logon Autostart Execution: XDG Autostart Entries

Pupy can use an XDG Autostart to establish persistence.(Citation: Red Canary Netwire Linux 2022)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Pupy has a module for loading and executing PowerShell scripts.(Citation: GitHub Pupy)

.006 Command and Scripting Interpreter: Python

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.(Citation: GitHub Pupy)

Enterprise T1136 .001 Create Account: Local Account

Pupy can user PowerView to execute “net user” commands and create local system accounts.(Citation: GitHub Pupy)

.002 Create Account: Domain Account

Pupy can user PowerView to execute “net user” commands and create domain accounts.(Citation: GitHub Pupy)

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Pupy can be used to establish persistence using a systemd service.(Citation: GitHub Pupy)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy)

Enterprise T1114 .001 Email Collection: Local Email Collection

Pupy can interact with a victim’s Outlook session and look through folders and emails.(Citation: GitHub Pupy)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.(Citation: GitHub Pupy)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Pupy has a module to clear event logs with PowerShell.(Citation: GitHub Pupy)

Enterprise T1056 .001 Input Capture: Keylogging

Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.(Citation: GitHub Pupy)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Pupy can execute Lazagne as well as Mimikatz using PowerShell.(Citation: GitHub Pupy)

.004 OS Credential Dumping: LSA Secrets

Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy)

.005 OS Credential Dumping: Cached Domain Credentials

Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Pupy can migrate into another process using reflective DLL injection.(Citation: GitHub Pupy)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.(Citation: GitHub Pupy)

Enterprise T1569 .002 System Services: Service Execution

Pupy uses PsExec to execute a payload or commands on a remote host.(Citation: GitHub Pupy)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Pupy can use Lazagne for harvesting credentials.(Citation: GitHub Pupy)

Enterprise T1550 .003 Use Alternate Authentication Material: Pass the Ticket

Pupy can also perform pass-the-ticket.(Citation: GitHub Pupy)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.(Citation: GitHub Pupy)

Groups That Use This Software

ID Name References
G0059 Magic Hound

(Citation: Unit 42 Magic Hound Feb 2017) (Citation: FireEye APT35 2018) (Citation: Secureworks Cobalt Gypsy Feb 2017)

G0064 APT33

(Citation: FireEye APT33 Guardrail)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.