Detection: Windows WinSCP Configuration Security Access

Description

This analytic detects unauthorized access to the WinSCP security configuration folder by processes other than WinSCP itself. WinSCP stores sensitive SSH and FTP session credentials, including passwords and private key references, under the user profile path Martin Prikryl\WinSCP 2\Configuration\Security. Information-stealing malware such as Phantom Stealer targets this directory to harvest stored credentials for exfiltration. The detection uses Windows Security Event 4663 (Object Access) to identify any non-WinSCP process reading or accessing files within this path, which is abnormal during routine system operation. Analysts should investigate the accessing process, its parent, and any associated network activity to determine whether a credential theft attempt is underway.

 1`wineventlog_security`
 2EventCode=4663
 3object_file_path="*\\Martin Prikryl\\WinSCP 2\\Configuration\\Security*"
 4NOT process_name IN ("winscp.exe")
 5
 6
 7| stats count min(_time) as firstTime
 8              max(_time) as lastTime
 9  by object_file_name object_file_path
10     process_name process_path process_id
11     EventCode dest
12
13
14| `security_content_ctime(firstTime)`
15
16| `security_content_ctime(lastTime)`
17
18| `windows_winscp_configuration_security_access_filter`

Data Source

Name Platform Sourcetype Source
Windows Event Log Security 4663 Windows icon Windows 'XmlWinEventLog' 'XmlWinEventLog:Security'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_winscp_configuration_security_access_filter search *
windows_winscp_configuration_security_access_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1552.001 Credentials In Files Credential Access
Exploitation
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."

Known False Positives

False positive may occur during backup or anti-virus scanning process. Filter as needed.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
a non winscp process [$process_name$] accessed the winscp configuration file [$object_file_path$] on $dest$. dest system 20

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Security XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Security XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub |

Version: 1