Skip to main content

Search

Breadcrumb - WinSCP Profile

Overview

The WinSCP Profile Breadcrumb creates a saved WinSCP session that points to a Canary running FTP.

Attackers often inspect saved WinSCP sessions on compromised Windows systems while searching for accessible servers, file transfer workflows, or operational infrastructure. Placing a believable WinSCP profile on systems an attacker is likely to explore can help steer reconnaissance and file-access activity toward your Canaries.

Placement Ideas

Good locations for WinSCP Profile Breadcrumbs include:

  • Windows administrator workstations: Place profiles on systems used to manage Linux servers or transfer files between environments.
  • Jump boxes or bastion hosts: Place profiles within operational accounts or on systems used to access internal infrastructure.
  • Deployment or automation systems: Place profiles on build servers, utility systems, or operational hosts where automated file transfers would be expected.

Follow the steps below to create a WinSCP Profile Breadcrumb:

Step 1: Log in to your Console

Console Login.png

Step 2: Confirm FTP is enabled on the Canary

Click the Canary you want to use for the WinSCP Profile Breadcrumb. Confirm that the FTP service is enabled.

FileZilla Profile - Breadcrumb - FTP Service Enabled.gif

Step 3: Open the Breadcrumbs tile on your Flock

Once you have confirmed that FTP is enabled, open the Breadcrumbs tile to create and download the WinSCP Profile Breadcrumb.

Breadcrumb - Tile Card.png

Step 4: Select the Breadcrumb

Select WinSCP Profile from the list of available Breadcrumbs.

Note

If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.

WinSCP Profile - Breadcrumb - Select.png

Step 5: Select the Canary

  1. Select the Canary from the drop-down list. In this example, we have selected the Office-NAS-02 Canary.

  2. Select Create to create the Breadcrumb.

Note

If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.

WinSCP Profile - Breadcrumb - Create.png

Step 6: Download the Breadcrumb

Select Download Breadcrumb to download the Breadcrumb .reg file.

The download section contains the following:

  1. crumb – Displays the Windows Registry entries that will create the saved WinSCP session. 
  2. Download Breadcrumb – Downloads a .reg file containing all the information required to deploy the WinSCP Profile Breadcrumb.
WinSCP Profile - Breadcrumb - Download.png

Step 7: Deploy the Breadcrumb on the target host

  1. Copy the downloaded .reg file to the target Windows host.

  2. Right-click the .reg file and select Merge.

  3. Select Yes when prompted to allow the Registry changes.

  4. The WinSCP session is now available as a session on the host.

In this example, the imported Breadcrumb creates a saved WinSCP session named Office-NAS-02, which is now visible in the Stored Sessions list alongside other saved WinSCP sessions.

Note

You must have administrative privileges on the target host to import the .reg file.

WinSCP Profile - Breadcrumb - Deployed - New.png

Alerts

Note

Alert Type: FTP Login Attempt
This is the standard FTP Login Attempt alert generated by the Canary. The alert contains the FTP connection details associated with the login attempt, including the username and credentials used, source IP address, and additional alert information.

FTP - Breadcrumb - Alert.png

You’ve made it!

 

thinkst-canary-inyoni.gif

Was this article helpful?
0 out of 0 found this helpful
Return to top