Merge PR #5414 from @swachchhanda000 - Add Indirect Command Execution via SFTP ProxyCommand

new: Indirect Command Execution via SFTP ProxyCommand --------- Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2026-04-28 02:11:12 +05:45
parent f627ff2270
commit ff107c3fe1
4 changed files with 105 additions and 0 deletions
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-19T07:30:22.106629Z"
+        }
+      },
+      "EventRecordID": 47015,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-19 07:30:22.083",
+      "ProcessGuid": "0197231E-A60E-69BB-A327-000000000800",
+      "ProcessId": 7932,
+      "Image": "C:\\Windows\\System32\\OpenSSH\\sftp.exe",
+      "FileVersion": "9.5.2.1",
+      "Description": "-",
+      "Product": "OpenSSH for Windows",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "sftp  -o ProxyCommand=\"cmd /c c:\\windows\\system32\\calc.exe\" .",
+      "CurrentDirectory": "C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v10.0A\\bin\\NETFX 4.8.1 Tools\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=24DB76A8F7C8487F76717912EFE9EACA,SHA256=59AC03B1BC557C8FC9C5FD3B5E653A2D8FA442A2258D7929F3BE7C017765A66D,IMPHASH=931A2C9F5941734CE383B10D0ADE83FD",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
@@ -0,0 +1,13 @@
+id: 91d062f3-6256-4859-9f3f-bf2d01f32340
+description: N/A
+date: 2026-03-19
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
+      title: Indirect Command Execution via SFTP ProxyCommand
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.evtx
@@ -0,0 +1,26 @@
+title: Indirect Command Execution via SFTP ProxyCommand
+id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
+status: experimental
+description: |
+    Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
+    Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Sftp/
+    - https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-27
+tags:
+    - attack.defense-evasion
+    - attack.t1202
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\sftp.exe'
+        CommandLine|contains: 'ProxyCommand='
+    condition: selection
+falsepositives:
+    - Legitimate use of SFTP with proxy commands for administration or networking tasks
+level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml