Determine SSH Servers Users Connected To
User Activity, Active Machines
SSH is a popular and practical management protocol for system administrators and nefarious users alike. In windows systems, the multifaceted terminal client, PuTTY, does not log by default but conditionally stores ssh host keys within the registry. This information can be beneficial to an analyst during a relevant incident/investigation to ascertain historical attributes about user activity and server authenticity.
Contained within the user’s NTUSER.DAT hive, the subkeys (outlined below) have the following syntax which are indicative of a successful SSH connection but not a successful SSH login:
The Last Write Time value of the NTUSER.DAT/Software/SimonTatham/SshHostKeys corresponds to the time the last ssh server was first connected to, as opposed to the last time the user had ssh’d to the server. If a user has connected to a server multiple times, these keys are not updated, in this event network logs are a more suitable quantitative source.
If a user chooses to save their PuTTY profile (connection preferences, servers, logs, etc), it will be stored under the NTUSER.DAT/Software/SimonTatham/Sessions.
To determine servers connected to via SSH:
NTUSER.DAT/Software/SimonTatham/SshHostKeys -> Subkeys correspond to successful SSH connections but not SSH logins.
To determine PuTTY configurations based on saved profiles:
NTUSER.DAT/Software/SimonTatham/Sessions -> Subkeys will correspond to profiles user created.