A common way for an attacker to move laterally within an environment is to use RDP. Forensically, we can use artifacts such as shellbags, link files and jumplists on the remote system to see what the attacker accessed when they used RDP into the system.
Alternatively, an attacker can access a system remotely by using WinSCP. By using the WinSCP program, an attacker can browse folders and files on a remote system, copy them back to the system they are currently on, and also search the remote system for files.
We will be working on a scenario where the attacker has already compromised a system on the network and is using WinSCP to browse to other computers on the same network. In this case, they could browse to HR systems looking for tax information, Servers looking for databases or Workstations looking for IP data.
In comparison to RDP, when using WinSCP, very few artifacts are left on what they were doing on the remote system because attackers are not using the Windows Explorer shell. They can even open up remote documents from within a WinSCP text editor.
Starting with Windows 10 1809 and Sever 2019, FTP/SSH is part of the optional features that can be easily installed on Windows. A simple PowerShell command can install it. Furthermore, it automatically creates a firewall rule and adds an SSH user.
powershell Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
powershell Start-Service sshd
An attacker commonly follows the below steps right after they breach a network:
1) Dump admin credentials
2) Enumerate systems to get IP addresses/Hostnames
3) Push out PowerShell scripts to all systems en-mass that do things such as disable firewalls, install backdoors and disable antivirus.
Now that the “command to install SSH” task has been added, all these systems are accessible to connect to using WinSCP.
The most interesting thing about WinSCP is that it comes with a portable version. The portable version makes it easy for an attacker to download and use. Many blog posts reference a registry key that contains settings for the program. However, the portable version does not store settings there.
Forensically finding artifacts to help determine what was done on both the “staging” system and the remote systems on Windows 10 1909:
Most of the artifacts related to WinSCP are located on the host where it was run. Running the program generates many of the common artifacts seen with file execution (Prefetch, shimcache, amcache, userassist, etc). However, the most important artifacts are the WinSCP.ini file and the SRUM database.
WinSCP.ini is a text file that contains configuration settings. It is located in the same directory as the WinSCP.exe file. At the end of a WinSCP session, the user is prompted to save their workspace:
WinSCP saves valuable information in the WinSCP.ini file that can be useful to the investigation. This includes systems connected to, usernames, places on the local system where files were saved from the remote system, and the last path that was accessed on the local system.
Examples of each of these configuration sections:
Files have been saved in these folders:
Last folder opened on the local system:
If the session settings are saved, you get a bonus section called Sessions, with the saved session name. The default is “My Workspace”. This saves the last local directory and remote directory, along with a password.
The WinSCP.ini file appears to be updated when the session closes. As such, using the last modified date of the WinSCP.ini file with a prefetch timestamp could give you an idea of how long the last session was.
Looking at this WinSCP.ini file can help an examiner determine what an attacker may have been browsing to on a remote system, and what they may have saved on the local system, even if it was deleted afterwards.
The SRUM database collects information every hour on network usage on a per-application basis. It can be an excellent resource for figuring how much data have been coied/downloaded using WinSCP.
WinSCP Remote System Artifacts
To determine whether WinSCP was used to browse a remote system using WinSCP, you can look for several things: Event log entries, evidence of OpenSSH being installed, and file system timestamps. WinSCP can use any FTP/SSH server to connect to. If you suspect WinSCP may have been used, your artifacts may vary.
1. OpenSSH artifacts
In order for WinSCP to connect to a system, an FTP or SSH server must be running to accept the connection. Look for artifacts indicating these services exist. For OpenSSH, look for c:/Windows/System32/OpenSSH/sshd.exe, SSHD.exe prefetch files, and the sshd.exe service. Timestamps associated with these entries may help determine the first time the attacker used it to connect.
Username : sshd 
SID : S-1-5-21-1445295406-4253784506-242647837-1003
Full Name : sshd
User Comment :
Account Type :
Account Created : Sun Feb 23 06:48:08 2020 Z
Last Login Date : Never
Pwd Reset Date : Sun Feb 23 06:48:08 2020 Z
Pwd Fail Date : Never
Login Count : 0
–> Password does not expire
–> Normal user account
2. Event Log Entries
Tthere is an Event ID 4624 associated with the WinSCP client login. The login is a type 5 with the account name sshd_1860 and the domain of VIRTUAL USERS, and the process of sshd.exe:
This is followed by an entry in the OpenSSH Operational event log that records the connecting IP address and account used by WinSCP to connect:
Once logged in, the attacker can use the program to effectively browse through folders, and even open up files via WinSCP barely leaving any trace on the remote system. An indication this was occurring was that accessed dates were changed on folders and files clicked on or copied. However, access dates are NOT a reliable artifact to use when concluding and must be used with other corroborating artifacts.
Below is an example of files and folders that were copied: