heroui logo

Windows WinSCP Configuration Security Access

Splunk Security Content

View Source
Summary
Detects unauthorized access to WinSCP's security configuration storage by processes other than WinSCP itself. WinSCP stores sensitive session credentials (passwords, private key references) under the user profile at Martin Prikryl\WinSCP 2\Configuration\Security. The rule leverages Windows Security Event 4663 (Object Access) to flag reads/ Accesses of files within this path by non-WinSCP processes, which is anomalous during normal operation. The detection uses object_file_path pattern matching and excludes reads from winscp.exe, aggregating results by the target file and the accessing process. The pipeline extracts times and file/process context to aid investigation. This activity aligns with credential theft tactics where attackers harvest stored credentials (Phantom Stealer) and maps to MITRE ATT&CK T1552.001. Analysts should examine the offending process, its parent, and any associated network activity to determine if a credential theft attempt is underway.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1552.001
Created: 2026-07-01