Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves very low footprint. Pupy can communicate using various transports, migrate into processes (reflective injection), load remote python code, python packages and python C-extensions from memory.

We are bringing here a collection of open-source and commercial Red Team tools that aid in red team operations. This repository will help you with the majority part of red team engagement. You can also join the Certified Red Team Expert program to become a master in red team operation and understand real-world attacks.

Pupy Download – Open-Source Remote Administration Tool – RAT

Simply put, this program, which can create backdoors for various systems, can perform actions to connect to remote systems, perform exploits to collect data, download and upload files, and access privileges. Enhance, screen capture, capture keystrokes, etc., as well as other similar tools, are also perfectly suited for legitimate remote administration of systems.

By default, all the commands that you enter to run on remote systems (launching modules) pupy rat executes immediately on all connected clients. Thanks to this, you can, for example, run mimikatz on all connected clients with one command and collect passwords everywhere at once.To display the list of sessions run the command:

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) and post-exploitation tool mainly written in python. It features a all-in-memory execution guideline and leaves very low footprint. Pupy can communicate using various transports, migrate into processes (reflective injection), load remote python code, python packages and python C-extensions from memory. Pupy modules can transparently access remote python objects using rpyc to perform various interactive tasks. Pupy can generate payloads in multiple formats like PE executables, reflective DLLs, pure python files, powershell, apk, ...When you package a payload, you can choose a launcher (connect, bind, ...), a transport (ssl, http, rsa, obfs3, scramblesuit, ...) and a number of "scriptlets". Scriptlets are python scripts meant to be embedded to perform various tasks offline (without requiring a session), like starting a background script, adding persistence, starting a keylogger, detecting a sandbox, ...

A member of the Cuba ransomware operation is employing previously unseen tactics, techniques, and procedures (TTPs), including a novel RAT (remote access trojan) and a new local privilege escalation tool.

The main task of the kernel driver is to terminate processes associated with security products so as to bypass detection. Also incorporated in the attack chain is a local privilege escalation tool downloaded from a remote server to gain SYSTEM permissions.

The improved variant comes with support for a broadened set of 22 commands, counting the ability to download bespoke payloads to capture screenshots as well as extract a list of all installed applications to send back to the remote server.

Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.

Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.

Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. 2ff7e9595c