SSH

Key Points

SSH-Related Processes:
- Source Host: Processes like ssh.exe or third-party SSH client executables.
- Destination Host: The SSH server process, typically sshd, handles incoming SSH connections.
Important Registry Keys and Configuration Files:
- Source Host: Registry keys for third-party SSH clients (e.g., PuTTY stores sessions in HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions).
- Destination Host: Configuration file sshd_config located in the SSH installation directory.
Event Log Analysis:
- Windows does not natively log SSH connections in Event Viewer. However, third-party SSH server logs on the destination host can provide connection details.
Alternate Secure Access Methods:
- Awareness of other secure access methods like OpenVPN or WireGuard used for secure connections.
Security Configuration:
- Implementing strict access control and monitoring on SSH usage, especially for administrative access.
Artifact Locations:
- Locating SSH client and server logs, configuration files, and relevant registry entries is crucial for thorough forensic investigation.

Considerations

Security Implications: Unauthorized SSH access is a potential method for data exfiltration and lateral movement in cyber attacks.
Limited Windows Logging: Native Windows Event Logs do not typically record SSH activities, necessitating reliance on third-party logs and tools for monitoring.
Encryption: SSH encrypts all traffic, including login credentials, making network-based detection more challenging.

Technical Explanations

SSH on Windows

Windows 10 and Later: Integrated OpenSSH client (ssh.exe) and server (sshd).
Third-Party Applications: Applications like PuTTY, WinSCP, and Bitvise SSH Client are commonly used.

Log Analysis

SSH Server Logs: On the destination host, sshd logs can be found in the installation directory, providing details on connections, authentication, and errors.
Client Logs: Some SSH clients maintain logs of connection attempts and sessions.

Security Settings

Configuration Best Practices:
- Restricting SSH access to specific users and groups.
- Disabling root login over SSH.
- Using key-based authentication instead of passwords.
Monitoring and Auditing:
- Implementing centralized logging and monitoring solutions for SSH activities.

Example Logs

SSH Server Log Entry:

Accepted password for user1 from 192.168.1.100 port 54022 ssh2
Session opened for user user1 by (uid=0)

PuTTY Session Registry Entry:

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\session_name
"HostName"="192.168.1.100"
"UserName"="user1"

Example Command Lines

Starting an SSH Session (Client):

ssh.exe user1@192.168.1.100

Basic Connection

putty.exe -ssh username@hostname

Specifying a port

putty.exe -ssh username@hostname -P portnumber

Using a Private Key

putty.exe -ssh username@hostname -i C:\path\to\private_key.ppk

Saving Session Information

putty.exe -load "session_name"

Enabling X11 Forwarding
- X11 forwarding is a feature of the SSH (Secure Shell) protocol that enables the graphical output of an application running on a remote server to be displayed on a local client machine.

putty.exe -ssh username@hostname -X

PreviousDestination System Artifacts - Quick Reference NextRouge Local Accounts

Last updated 1 year ago

Was this helpful?

SSH

Key Points

SSH-Related Processes:
- Source Host: Processes like ssh.exe or third-party SSH client executables.
- Destination Host: The SSH server process, typically sshd, handles incoming SSH connections.
Important Registry Keys and Configuration Files:
- Source Host: Registry keys for third-party SSH clients (e.g., PuTTY stores sessions in HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions).
- Destination Host: Configuration file sshd_config located in the SSH installation directory.
Event Log Analysis:
- Windows does not natively log SSH connections in Event Viewer. However, third-party SSH server logs on the destination host can provide connection details.
Alternate Secure Access Methods:
- Awareness of other secure access methods like OpenVPN or WireGuard used for secure connections.
Security Configuration:
- Implementing strict access control and monitoring on SSH usage, especially for administrative access.
Artifact Locations:
- Locating SSH client and server logs, configuration files, and relevant registry entries is crucial for thorough forensic investigation.

Considerations

Security Implications: Unauthorized SSH access is a potential method for data exfiltration and lateral movement in cyber attacks.
Limited Windows Logging: Native Windows Event Logs do not typically record SSH activities, necessitating reliance on third-party logs and tools for monitoring.
Encryption: SSH encrypts all traffic, including login credentials, making network-based detection more challenging.

Technical Explanations

SSH on Windows

Windows 10 and Later: Integrated OpenSSH client (ssh.exe) and server (sshd).
Third-Party Applications: Applications like PuTTY, WinSCP, and Bitvise SSH Client are commonly used.

Log Analysis

SSH Server Logs: On the destination host, sshd logs can be found in the installation directory, providing details on connections, authentication, and errors.
Client Logs: Some SSH clients maintain logs of connection attempts and sessions.

Security Settings

Configuration Best Practices:
- Restricting SSH access to specific users and groups.
- Disabling root login over SSH.
- Using key-based authentication instead of passwords.
Monitoring and Auditing:
- Implementing centralized logging and monitoring solutions for SSH activities.

Example Logs

SSH Server Log Entry:

Accepted password for user1 from 192.168.1.100 port 54022 ssh2
Session opened for user user1 by (uid=0)

PuTTY Session Registry Entry:

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\session_name
"HostName"="192.168.1.100"
"UserName"="user1"

Example Command Lines

Starting an SSH Session (Client):

ssh.exe user1@192.168.1.100

Basic Connection

putty.exe -ssh username@hostname

Specifying a port

putty.exe -ssh username@hostname -P portnumber

Using a Private Key

putty.exe -ssh username@hostname -i C:\path\to\private_key.ppk

Saving Session Information

putty.exe -load "session_name"

Enabling X11 Forwarding
- X11 forwarding is a feature of the SSH (Secure Shell) protocol that enables the graphical output of an application running on a remote server to be displayed on a local client machine.

putty.exe -ssh username@hostname -X

PreviousDestination System Artifacts - Quick Reference NextRouge Local Accounts

Last updated 1 year ago

Was this helpful?