| ID | Technique | Tactic |
|---|---|---|
| T1552.001 | Credentials In Files | Credential Access |
Detection: Windows WinSCP Configuration Security Access
Description
This analytic detects unauthorized access to the WinSCP security configuration folder by processes other than WinSCP itself. WinSCP stores sensitive SSH and FTP session credentials, including passwords and private key references, under the user profile path Martin Prikryl\WinSCP 2\Configuration\Security. Information-stealing malware such as Phantom Stealer targets this directory to harvest stored credentials for exfiltration. The detection uses Windows Security Event 4663 (Object Access) to identify any non-WinSCP process reading or accessing files within this path, which is abnormal during routine system operation. Analysts should investigate the accessing process, its parent, and any associated network activity to determine whether a credential theft attempt is underway.
Search
1`wineventlog_security`
2EventCode=4663
3object_file_path="*\\Martin Prikryl\\WinSCP 2\\Configuration\\Security*"
4NOT process_name IN ("winscp.exe")
5
6
7| stats count min(_time) as firstTime
8 max(_time) as lastTime
9 by object_file_name object_file_path
10 process_name process_path process_id
11 EventCode dest
12
13
14| `security_content_ctime(firstTime)`
15
16| `security_content_ctime(lastTime)`
17
18| `windows_winscp_configuration_security_access_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4663 | 'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_winscp_configuration_security_access_filter | search * |
windows_winscp_configuration_security_access_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
Known False Positives
False positive may occur during backup or anti-virus scanning process. Filter as needed.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| a non winscp process [$process_name$] accessed the winscp configuration file [$object_file_path$] on $dest$. | dest | system | 20 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Security |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1