Techniques
Sample rules
Windows WinSCP Configuration Security Access
- source: splunk
- technicques:
Description
This analytic detects unauthorized access to the WinSCP security configuration folder by processes other than WinSCP itself. WinSCP stores sensitive SSH and FTP session credentials, including passwords and private key references, under the user profile path Martin Prikryl\WinSCP 2\Configuration\Security. Information-stealing malware such as Phantom Stealer targets this directory to harvest stored credentials for exfiltration. The detection uses Windows Security Event 4663 (Object Access) to identify any non-WinSCP process reading or accessing files within this path, which is abnormal during routine system operation. Analysts should investigate the accessing process, its parent, and any associated network activity to determine whether a credential theft attempt is underway.
Detection logic
`wineventlog_security`
EventCode=4663
object_file_path="*\\Martin Prikryl\\WinSCP 2\\Configuration\\Security*"
NOT process_name IN ("winscp.exe")
| stats count min(_time) as firstTime
max(_time) as lastTime
by object_file_name object_file_path
process_name process_path process_id
EventCode dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_winscp_configuration_security_access_filter`