id: pupyc2

info:
  name: PupyC2 - Detect
  author: pussycat0x
  severity: info
  description: |
    Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
  reference:
    - https://twitter.com/TLP_R3D/status/1654038602282565632
    - https://github.com/n1nj4sec/pupy
  metadata:
    verified: true
    max-request: 1
    shodan-query: aa3939fc357723135870d5036b12a67097b03309
  tags: c2,ir,osint,pupyc2,panel

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - 'Etag: "aa3939fc357723135870d5036b12a67097b03309"'

      - type: status
        status:
          - 200
# digest: 490a00463044022060e2ba527414009da71d2b5d61b6e4ee695565b87fd1efbd0e19cb203a065986022014f66b0d9025e1ccfe5347ee0a05eea5c15dbda38766f01d394249078a4c73a8:922c64590222798bb761d5b6d8e72950