Windows.Registry.PuttyHostKeys

This artifact extracts PuTTY SSH host keys.

As a security measure PuTTY and its companion utilities PSCP, PSFTP, and Plink records the host key for each server connected to, in the Windows Registry.

  • Output KeyName: ssh-ed12345@22:27.27.27.27
  • To search for a specific IP: TargetKeyName =~ ‘:<IP>$’
  • To search for a specific PORT: TargetKeyName =~ ‘@<PORT>:.+$’

name: Windows.Registry.PuttyHostKeys
author: Matt Green - @mgreen27
description: |
   This artifact extracts PuTTY SSH host keys.
   
   As a security measure PuTTY and its companion utilities PSCP, PSFTP, and Plink 
   records the host key for each server connected to, in the Windows Registry.
   
   - Output KeyName: ssh-ed12345@22:27.27.27.27
   - To search for a specific IP: TargetKeyName =~ ':\<IP\>$'
   - To search for a specific PORT: TargetKeyName =~ '@\<PORT\>:.+$'
   
   
type: CLIENT

parameters:
   - name: KeyGlob
     default: Software\SimonTatham\Putty\SshHostKeys\**
   - name: TargetUser
     default: .
   - name: TargetKeyName
     default: .
   - name: TargetKeyValue
     default: .

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows' 

    query: |
      LET HKEY_USERS <= pathspec(path_type="registry", Path="HKEY_USERS")

      SELECT 
        Mtime,
        Username,
        OSPath.Basename AS KeyName,
        Data.value AS KeyValue,
        HKEY_USERS + UUID + OSPath.Dirname AS Key,
        OSPath.DelegatePath AS SourcePath
      FROM Artifact.Windows.Registry.NTUser(KeyGlob=KeyGlob,userRegex=TargetUser)
      WHERE KeyName =~ TargetKeyName
        AND KeyValue =~ TargetKeyValue