Detection of PuTTY Suite Utility Execution

This threat brief focuses on the detection of PuTTY suite utilities. The PuTTY suite includes programs like putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe, and are often leveraged for establishing remote connections, transferring files, or executing commands on remote systems. The unwarranted usage of these tools, especially when observed in unusual contexts such as non-administrative accounts or on systems where they are not typically used, can be indicative of malicious activity. Such activity may represent attempts to circumvent established security protocols, move laterally within the network, or exfiltrate sensitive data, potentially leading to broader network compromise.

Attack Chain

1. An attacker gains initial access to a system through various means.
2. The attacker executes one of the PuTTY suite utilities (putty.exe, pscp.exe, plink.exe, psftp.exe, or puttygen.exe).
3. If using putty.exe, the attacker attempts to establish an SSH or other remote connection to a target system.
4. If using pscp.exe or psftp.exe, the attacker attempts to transfer files between systems, potentially exfiltrating sensitive data.
5. If using plink.exe, the attacker executes commands on a remote system.
6. The attacker leverages the established connection or transferred files to perform lateral movement within the network.
7. The attacker attempts to escalate privileges on the target system.
8. The attacker exfiltrates sensitive data or achieves other malicious objectives, such as deploying ransomware or establishing persistent access.

Impact

Compromise via PuTTY suite utilities can lead to unauthorized access to sensitive systems, data exfiltration, and further propagation of attacks within the network. This could result in financial losses, reputational damage, and disruption of services. The severity of the impact depends on the level of access achieved by the attacker and the sensitivity of the compromised data.

Recommendation

• Enable process creation logging via Sysmon or Windows Event Logs (Security 4688) to capture the execution of PuTTY suite utilities.
• Deploy the Sigma rules provided to detect unusual execution of PuTTY utilities and tune for known-good administrative activities.
• Monitor network connections for SSH and other remote connections originating from unusual endpoints, as detected by the Sigma rule.
• Investigate any alerts generated by the provided Sigma rules, focusing on identifying the user, process, and destination involved in the activity.