Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0192: Pupy

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]

EnterpriseS0192ToolObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Pupy matters because it is a publicly available, open source, cross-platform remote administration and post-exploitation tool that can be packaged in multiple payload forms, including Windows executables, Python files, PowerShell, Linux ELF, APK, and Rubber Ducky formats. For leaders, the risk is not the tool name alone; it is the breadth of behaviors ATT&CK associates with it: credential access, discovery, command and control, collection, exfiltration, lateral movement, and execution across Windows, Linux, macOS, and Android environments.

Executive priority

Treat Pupy as a coverage-validation object for post-compromise readiness. Because ATT&CK provides no official detection guidance for this software, executives should ask whether security teams can prove visibility across the behaviors linked to it: credential dumping from LSASS/LSA/cached credentials, PowerShell and Python execution, web-based command and control, tool transfer, RDP-based lateral movement, local data collection, screenshots, audio capture, and exfiltration over C2. Priority should be highest where business-critical users, service accounts, remote access paths, or sensitive local data exist on supported platforms.

Technical view

SOC, detection engineering, and IR teams should validate behavior-based detections rather than relying only on tool identifiers. ATT&CK links Pupy to Windows credential-access techniques including LSASS Memory, LSA Secrets, and Cached Domain Credentials; execution through PowerShell and Python; discovery of users, processes, files, system information, network configuration, services, and connections; C2 over web protocols; ingress tool transfer; RDP lateral movement; collection from screens, audio, keystrokes, and local email; and exfiltration over the C2 channel. Since official detection text is not provided, local testing and telemetry review are required to determine whether these behaviors are observable in each supported operating environment.

Likely telemetry

  • Endpoint process creation and command-line telemetry for PowerShell, Python, discovery utilities, and unusual child-process relationships
  • Windows security and endpoint telemetry related to LSASS access, LSA secrets access, cached credential access, and suspicious registry or memory access patterns
  • Network telemetry for outbound web-protocol command-and-control patterns and data transfer over established C2-like channels
  • Remote access logs for RDP sessions, especially valid-account use from unusual sources or at unusual times
  • File system telemetry for payload staging, tool transfer, local email data access, file enumeration, and suspicious archive or collection activity

Detection direction

  • Prioritize behavior detections mapped to the linked techniques because ATT&CK does not provide official detection guidance for Pupy itself.
  • Tune PowerShell and Python analytics to separate administrative automation from suspicious execution chains, downloaded payloads, or post-compromise discovery sequences.
  • Correlate discovery activity with subsequent credential access, tool transfer, collection, RDP use, or outbound web traffic rather than alerting on common administrative commands in isolation.
  • Validate visibility into LSASS, LSA Secrets, and cached credential access on Windows systems; these are high-value blind spots for identity compromise investigations.
  • Review web-protocol egress monitoring for command-and-control and exfiltration patterns, while accounting for the high false-positive potential of normal HTTP/S traffic.

Mitigation priorities

  • Start with identity and credential protection: reduce exposure of privileged accounts, monitor credential material access, and limit where high-value credentials can be used.
  • Harden and monitor remote access paths such as RDP, including account use, source validation, and session auditing.
  • Restrict and monitor scripting execution where appropriate, especially PowerShell and Python on systems where they are not operationally required.
  • Improve endpoint visibility across Windows, Linux, macOS, and Android assets that are in scope, since the tool is described as cross-platform.
  • Control outbound network paths and inspect web-protocol egress where feasible to support C2 and exfiltration detection.
Analyst notes and limits

Pupy is described by ATT&CK as an open source remote administration and post-exploitation tool publicly available on GitHub and generated in several payload formats. The relationship set is broad and makes this object useful for validating post-compromise detection coverage. ATT&CK also records use by Magic Hound and APT33; that relationship supports threat-context enrichment but does not justify local attribution without independent incident evidence.

The supplied ATT&CK object has no official detection text and no object-level tactics specified. This take is therefore derived from the official description, supported platforms, external references, and provided relationships to groups and techniques. Local asset inventory, logging configuration, endpoint controls, and network architecture are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

Pupy

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

41 rows
Domain ID Name Relationship / procedure
Enterprise T1569.002 Service Execution Sub-technique

Pupy uses PsExec to execute a payload or commands on a remote host.[1]
Enterprise T1046 Network Service Discovery

Pupy has a built-in module for port scanning.[1]
Enterprise T1113 Screen Capture

Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.[1]
Enterprise T1552.001 Credentials In Files Sub-technique

Pupy can use Lazagne for harvesting credentials.[1]
Enterprise T1105 Ingress Tool Transfer

Pupy can upload and download to/from a victim machine.[1]
Enterprise T1135 Network Share Discovery

Pupy can list local and remote shared drives and folders over SMB.[1]
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.[1]
Enterprise T1548.002 Bypass User Account Control Sub-technique

Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.[1]
Enterprise T1059.001 PowerShell Sub-technique

Pupy has a module for loading and executing PowerShell scripts.[1]
Enterprise T1033 System Owner/User Discovery

Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.[1]
Enterprise T1136.002 Domain Account Sub-technique

Pupy can user PowerView to execute “net user” commands and create domain accounts.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.[1]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

Pupy can use Lazagne for harvesting credentials.[1]
Enterprise T1123 Audio Capture

Pupy can record sound with the microphone.[1]
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

Pupy can migrate into another process using reflective DLL injection.[1]
Enterprise T1016 System Network Configuration Discovery

Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.[1]
Enterprise T1114.001 Local Email Collection Sub-technique

Pupy can interact with a victim’s Outlook session and look through folders and emails.[1]
Enterprise T1543.002 Systemd Service Sub-technique

Pupy can be used to establish persistence using a systemd service.[1]
Enterprise T1136.001 Local Account Sub-technique

Pupy can user PowerView to execute “net user” commands and create local system accounts.[1]
Enterprise T1547.013 XDG Autostart Entries Sub-technique

Pupy can use an XDG Autostart to establish persistence.CitationRed Canary Netwire Linux 2022
Enterprise T1083 File and Directory Discovery

Pupy can walk through directories and recursively search for strings in files.[1]
Enterprise T1082 System Information Discovery

Pupy can grab a system’s information including the OS version, architecture, etc.[1]
Enterprise T1003.001 LSASS Memory Sub-technique

Pupy can execute Lazagne as well as Mimikatz using PowerShell.[1]
Enterprise T1056.001 Keylogging Sub-technique

Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.[1]
Enterprise T1071.001 Web Protocols Sub-technique

Pupy can communicate over HTTP for C2.[1]
Enterprise T1497.001 System Checks Sub-technique

Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.[1]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.[1]
Enterprise T1550.003 Pass the Ticket Sub-technique

Pupy can also perform pass-the-ticket.[1]
Enterprise T1557.001 Name Resolution Poisoning and SMB Relay Sub-technique

Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.[1]
Enterprise T1087.001 Local Account Sub-technique

Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.[1]
Enterprise T1059.006 Python Sub-technique

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.[1]
Enterprise T1125 Video Capture

Pupy can access a connected webcam and capture pictures.[1]
Enterprise T1685.005 Clear Windows Event Logs Sub-technique

Pupy has a module to clear event logs with PowerShell.[1]
Enterprise T1134.001 Token Impersonation/Theft Sub-technique

Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.[1]
Enterprise T1560.001 Archive via Utility Sub-technique

Pupy can compress data with Zip before sending it over C2.[1]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Pupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.[1]
Enterprise T1003.005 Cached Domain Credentials Sub-technique

Pupy can use Lazagne for harvesting credentials.[1]
Enterprise T1003.004 LSA Secrets Sub-technique

Pupy can use Lazagne for harvesting credentials.[1]
Enterprise T1049 System Network Connections Discovery

Pupy has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.[1]
Enterprise T1555 Credentials from Password Stores

Pupy can use Lazagne for harvesting credentials.[1]
Enterprise T1057 Process Discovery

Pupy can list the running processes and get the process ID and parent process’s ID.[1]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0059: Magic Hound

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]

Group Enterprise

G0064: APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1569.002: Service Execution Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1552.001: Credentials In Files Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1548.002: Bypass User Account Control Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1136.002: Domain Account Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1123: Audio Capture Enterprise uses · Technique T1055.001: Dynamic-link Library Injection Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1114.001: Local Email Collection Enterprise uses · Technique T1543.002: Systemd Service Enterprise uses · Technique T1136.001: Local Account Enterprise uses · Technique T1547.013: XDG Autostart Entries Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1003.001: LSASS Memory Enterprise uses · Technique T1056.001: Keylogging Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
58af2c94658cb895...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle 58af2c94658c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    GitHub Pupy

    Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

    Open source URL
  2. [2]
    mitre-attack S0192
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use