Techniques
Sample rules
Windows PuTTY Suite Utility Execution
- source: splunk
- technicques:
- T1021.004
Description
This analytic detects the execution of programs associated with the PuTTY SSH client suite, including putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe. This activity is significant because these tools can be used to establish unauthorized remote connections, transfer files, or execute commands on remote systems. If identified in an unusual context, such as non-administrative accounts or unexpected systems, it may indicate attempts to bypass security controls, perform lateral movement, or exfiltrate data, which could lead to further network compromise.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process_name IN (
"putty.exe",
"pscp.exe",
"plink.exe",
"psftp.exe",
"puttygen.exe"
)
OR
Processes.original_file_name IN (
"PuTTY",
"PSCP",
"Plink",
"PSFTP",
"PuTTYgen"
)
)
by Processes.process Processes.vendor_product Processes.user_id
Processes.process_hash Processes.parent_process_name
Processes.parent_process_exec Processes.action Processes.dest
Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name
Processes.parent_process Processes.parent_process_path
Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id
Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_putty_suite_utility_execution_filter`