![]() It will be located in the same directory as the WinSCP.exe file. WinSCP.ini is a text file that contains configuration settings. However, the artifacts "for the win" will be the WinSCP.ini file and the SRUM database. Running WinSCP generates many of the common artifacts seen with file execution: Prefetch, shimcache, amcache, userassist etc. Most of the artifacts related to WinSCP are going to be on the host where it was run. So - now that we know WinSCP can be used in this manner, what artifacts can we find forensically to help determine what was done on both the "staging" system and the remote systems? I did some testing on some Windmachines to see what artifacts were left behind using the Portable version of WinSCP, v.5.17. However, the portable version does not store settings there. Many blog posts reference a registry key that contains settings for WinSCP. ![]() Oh - and did I mention that WinSCP comes with a portable version? The portable version makes it easy for an attacker to download and use. It's a simple task to add in one more command to install SSH and now boom - all these systems are now accessible to connect to using WinSCP. ![]() ![]() It is not uncommon for an attacker to follow the below steps once they have breached a network:Ģ) Enumerate systems to get IP addresses/Hostnamesģ) Push out PowerShell scripts to all systems en-mass that do things like disable firewalls, install backdoors and disable antivirus. Powershell Set-Service -Name sshd -StartupType 'Automatic' ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |