Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.^[1]

Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.^[1]

Pupy uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.^[1]

Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.^[1]

Pupy can communicate over HTTP for C2.^[1]

Pupy can compress data with Zip before sending it over C2.^[1]

Pupy can record sound with the microphone.^[1]

Pupy adds itself to the startup folder or adds itself to the Registry keySOFTWARE\Microsoft\Windows\CurrentVersion\Run for persistence.^[1]

Pupy can use an XDG Autostart to establish persistence.^[2]

Pupy has a module for loading and executing PowerShell scripts.^[1]

Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts ("scriptlets") to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.^[1]

Pupy can user PowerView to execute "net user" commands and create local system accounts.^[1]

Pupy can user PowerView to execute "net user" commands and create domain accounts.^[1]

Pupy can be used to establish persistence using a systemd service.^[1]

Pupy can use Lazagne for harvesting credentials.^[1]

Pupy can use Lazagne for harvesting credentials.^[1]

Pupy can interact with a victim’s Outlook session and look through folders and emails.^[1]

Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.^[1]

Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.^[1]

Pupy can walk through directories and recursively search for strings in files.^[1]

Pupy has a module to clear event logs with PowerShell.^[1]

Pupy can upload and download to/from a victim machine.^[1]

Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.^[1]

Pupy has a built-in module for port scanning.^[1]

Pupy can list local and remote shared drives and folders over SMB.^[1]

Pupy can execute Lazagne as well asMimikatz using PowerShell.^[1]

Pupy can use Lazagne for harvesting credentials.^[1]

Pupy can use Lazagne for harvesting credentials.^[1]

Pupy can list the running processes and get the process ID and parent process’s ID.^[1]

Pupy can migrate into another process using reflective DLL injection.^[1]

Pupy can enable/disable RDP connection and can start a remote desktop session using a browser web socket client.^[1]

Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.^[1]

Pupy can grab a system’s information including the OS version, architecture, etc.^[1]

Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.^[1]

Pupy has a built-in utility command fornetstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.^[1]

Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.^[1]

Pupy usesPsExec to execute a payload or commands on a remote host.^[1]

Pupy can use Lazagne for harvesting credentials.^[1]

Pupy can also perform pass-the-ticket.^[1]

Pupy can access a connected webcam and capture pictures.^[1]

Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.^[1]

^[3][4][5]

^[6]