id: pupyc2

info:
  name: PupyC2 - Detect
  author: pussycat0x
  severity: info
  description: |
    Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.
  reference:
    - https://twitter.com/TLP_R3D/status/1654038602282565632
    - https://github.com/n1nj4sec/pupy
  metadata:
    verified: true
    max-request: 1
    shodan-query: aa3939fc357723135870d5036b12a67097b03309
  tags: c2,ir,osint,pupyc2,panel

http:
  - method: GET
    path:
      - '{{BaseURL}}'

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - 'Etag: "aa3939fc357723135870d5036b12a67097b03309"'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100fa71c1e22038c75eaf6c497340b1f33ecf41c7228c34fc55da3435f5aab87c630221009364ce11f0b2a1d097c1cf72429d5c9f8ca31a489b740af6e2a89ec7338c2a84:922c64590222798bb761d5b6d8e72950