Find and parse ssh authorized keys files on Windows running OpenSSH service.
name: Windows.Ssh.AuthorizedKeys
author: Ján Trenčanský - j91321@infosec.exchange
description: |
Find and parse ssh authorized keys files on Windows running OpenSSH service.
reference:
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement?source=recommendations
parameters:
- name: userSshKeyFiles
default: '.ssh\authorized_keys*'
description: Glob of authorized_keys file relative to a user's home directory.
- name: adminSshKeyFiles
default: 'administrators_authorized_keys*'
description: Glob of administrator_authorized_keys
precondition: SELECT OS From info() where OS = 'windows'
type: CLIENT
sources:
- name: User Keys
query: |
LET authorized_keys = SELECT * from foreach(
row={
SELECT Uid, Name, Directory from Artifact.Windows.Sys.Users()
},
query={
SELECT OSPath, Mtime, Ctime, Uid
FROM glob(root=Directory, globs=userSshKeyFiles)
})
SELECT * from foreach(
row=authorized_keys,
query={
SELECT Uid, OSPath, Key, Comment, Mtime
FROM split_records(
filenames=OSPath, regex=" +", columns=["Type", "Key", "Comment"])
WHERE Type =~ "ssh"
})
- name: Admin Keys
query: |
LET administrators_authorized_keys = SELECT OSPath, Mtime, Ctime, Uid FROM glob(root='C:\\ProgramData\\ssh\\', globs=adminSshKeyFiles)
SELECT * from foreach(
row=administrators_authorized_keys,
query={
SELECT Uid, OSPath, Key, Comment, Mtime
FROM split_records(
filenames=OSPath, regex=" +", columns=["Type", "Key", "Comment"])
WHERE Type =~ "ssh"
})