Skip to main content

Search

Breadcrumb - PuTTY Profile

Overview

The PuTTY Profile Breadcrumb creates a saved PuTTY session that points to a Canary running SSH.

Attackers commonly inspect saved PuTTY sessions on compromised Windows systems while looking for additional hosts they can access. Placing a believable saved session on systems an attacker is likely to explore can help steer reconnaissance and lateral movement toward your Canaries.

Placement Ideas

Good locations for PuTTY Profile Breadcrumbs include:

  • Windows administrator workstations: Place saved sessions on systems where administrators regularly use PuTTY to access Linux servers, network devices, or other infrastructure over SSH.
  • Jump boxes or bastion hosts: Place profiles within shared operational accounts or on systems used to access internal infrastructure.
  • IT support or operations systems: Place profiles on systems used for troubleshooting, infrastructure support, or remote administration where saved PuTTY sessions would be expected.

Follow the steps below to create a PuTTY Profile Breadcrumb:

Step 1: Log in to your Console

Console Login.png

Step 2: Confirm SSH is enabled on the Canary

Click the Canary you want to use for the PuTTY Profile Breadcrumb and confirm that the SSH service is enabled.

SSH Key Pair - Breadcrumb - SSH Service Enabled.gif

Step 3: Open the Breadcrumbs tile on your Flock

Once you have confirmed that SSH is enabled, open the Breadcrumbs tile to create and download the PuTTY Profile Breadcrumb.

Breadcrumb - Tile Card.png

Step 4: Select the Breadcrumb

Select PuTTY Profile from the list of available Breadcrumbs.

Note

If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.

PuTTY Profile - Breadcrumb - Select.png

Step 5: Select the Canary

  1. Select the Canary from the drop-down list. In this example, we have selected the JHB-Router Canary.
  2. Select Create to create the Breadcrumb.
Note

If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.

PuTTY Profile - Breadcrumb - Create.png

Step 6: Download the Breadcrumb

Select Download Breadcrumb to download the Breadcrumb .reg file.

The download section contains the following:

  1. crumb - Displays the Windows Registry entries that will create the saved PuTTY session. 
  2. Download Breadcrumb – Downloads a .reg file containing all the information required to deploy the PuTTY Profile Breadcrumb.
PuTTY Profile - Breadcrumb - Download.png

Step 7: Deploy the Breadcrumb on the target host

Copy the downloaded .reg file to the target Windows host and import it into the Windows Registry.

In this example, the imported Breadcrumb creates a saved PuTTY session named JHB-Router, which is now visible in the Saved Sessions list.

PuTTY Profile - Breadcrumb - Deployed.png

Alerts

Note

Alert Type: SSH Login Attempt
This is the standard SSH Login Attempt alert generated by the Canary. The alert contains the SSH connection details associated with the login attempt, including the username and credentials used, source IP address, SSH client version, and additional alert information.

PuTTY Profile - Breadcrumb - Alert.png

You’ve made it!

 

thinkst-canary-inyoni.gif

Was this article helpful?
0 out of 0 found this helpful
Return to top