{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/putty/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["putty","lateral-movement","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of PuTTY suite utilities. The PuTTY suite includes programs like putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe, and are often leveraged for establishing remote connections, transferring files, or executing commands on remote systems. The unwarranted usage of these tools, especially when observed in unusual contexts such as non-administrative accounts or on systems where they are not typically used, can be indicative of malicious activity. Such activity may represent attempts to circumvent established security protocols, move laterally within the network, or exfiltrate sensitive data, potentially leading to broader network compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker executes one of the PuTTY suite utilities (putty.exe, pscp.exe, plink.exe, psftp.exe, or puttygen.exe).\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003eputty.exe\u003c/code\u003e, the attacker attempts to establish an SSH or other remote connection to a target system.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003epscp.exe\u003c/code\u003e or \u003ccode\u003epsftp.exe\u003c/code\u003e, the attacker attempts to transfer files between systems, potentially exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003eplink.exe\u003c/code\u003e, the attacker executes commands on a remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the established connection or transferred files to perform lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or achieves other malicious objectives, such as deploying ransomware or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via PuTTY suite utilities can lead to unauthorized access to sensitive systems, data exfiltration, and further propagation of attacks within the network. This could result in financial losses, reputational damage, and disruption of services. The severity of the impact depends on the level of access achieved by the attacker and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Event Logs (Security 4688) to capture the execution of PuTTY suite utilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect unusual execution of PuTTY utilities and tune for known-good administrative activities.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for SSH and other remote connections originating from unusual endpoints, as detected by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rules, focusing on identifying the user, process, and destination involved in the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-putty-execution/","summary":"This analytic detects the execution of programs associated with the PuTTY SSH client suite, including putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe, which can be used to establish unauthorized remote connections, transfer files, or execute commands on remote systems potentially leading to network compromise.","title":"Detection of PuTTY Suite Utility Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-putty-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Putty","version":"https://jsonfeed.org/version/1.1"}