From ff107c3fe12964ca1568e219e54a465030c4010d Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 28 Apr 2026 02:11:12 +0545
Subject: [PATCH] Merge PR #5414 from @swachchhanda000 - Add `Indirect Command
 Execution via SFTP ProxyCommand`

new: Indirect Command Execution via SFTP ProxyCommand

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 .../762bb580-79b4-40f4-8b9e-9349ce1710f4.evtx | Bin 0 -> 69632 bytes
 .../762bb580-79b4-40f4-8b9e-9349ce1710f4.json |  66 ++++++++++++++++++
 .../info.yml                                  |  13 ++++
 ...ation_win_sftp_proxy_command_execution.yml |  26 +++++++
 4 files changed, 105 insertions(+)
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..e9224168d49bf65d86bd7990ed25b18a87679133
GIT binary patch
literal 69632
zcmeI0TWp+1701u_?ZxZ0ch_!Xu1(marPL{QY;V@tZR(<p?QKFGFl|bMWT`T~Wm|h4
z#ZH?v5{iHd%0qz%E>a(;ibO9!#S1Db6-Y>^JQaZ|aS^IOyub@mK^35a%>O_0eO|8{
zJ1Kqrf2-M@Z|2OIGrx1@%-EC5i}l9xf^C1osNphxLra+T1lvX4@q6vxZ{G2al}LdI
zh=2%)fCz|y2#A0Ph=2%)fCz}dRS8TkFOHvSK4|e@_dESwrY8JTAk%Ah>-T?kRlQde
z;5<KgxmnyQw>NE;&6xcoW%ifk)*iDFw2$H65O4Q+<tk$y!<>BfVopB)jO4!;wX^LB
zv@LG4=OcLkSM*Pk_idYFCDO&Q&qno=kgY@Ki`(>2=31XWceEsLj{iZ^YWlxw2M@xh
z1>5w0#eQ<fxflKr6oSCIgV&D!?U{Hc)^GXi6L%l@({EqB{A};jU%^T!RqM6Sqsj&H
zd9gcXllG7;Sku<={solu15xKog_K>e6<bE<8ah%z+0H<0-Ok!=b_ky}n?uV2WM)wx
z#BT#F=WG>ktF{QqLA<Y`{g6G3z9xQ0YzUvjs0~>K-wT`5ueH5}!N$g`@Kx-$)l+G^
z$1Xzix|<OJUfbCC6zqyU`ue4eO}p72!d&x^I)~m-lzJSDcYQ5sAA_+g=rqgcEl8h^
z;-SAUX?NOrHxgY1D<o<OI|;EzB8fL<JGQ_&VH4>45K5XMM>YMw&)O%TViw36SboEq
zKy>+}rNex}(#fF94xk~9^!Idj*e4^g21qs07v{SxnZ%ykhnG0S=U++L6a?w3WhZ15
z3hf5G+z`d-<fWvYa=v)biG-Xmup(Z#1^7I_FKr)(1L+nb;&cHurR*lW#5?DKUuNts
zbYFzuR>5%|+$ox}z9g_u<K?T7#-opSVbX?UIu6kV7(f@zL&o9ZE@DjGekt4L!FUkx
zq^&m*WDzZ`TvAWuw$Q#C3TZMe@#MpN*0QwaQ4ER`!c%|mvT-LyJC>a#G1eK#)$7p?
z&%U0u8Z@rMa7N2IR_gWUJFJjqQlQ(*Kkqe8?KN>tI}FM(TsAgVFh`t3e)PjmEZ~AO
z{JfjUyZ1QlfH#e{WPj5c#q1me*YJs~$XF)L)JoSrTFrp)nTTx+Am3@3M9|~HiOHDH
z=MbXfkeo#zHJ#mbT8{<EU}NKU2r#SBaYvgO2WkbOK;!&g2~$BgOn4aMxv^Qiu6eYO
z^)aZ3lkk&+8Mu>fIS<P`LbDG*A|2=B#i_L23x(7kt*hIvPbBlbwm)gtK@_3q3L+H;
zmS082`YdBOy6_}XW64<7$zix_AHrLY73?^E`#bkLE%9k+m*c$n#cs2gp!De%+#qBy
zFO%ZbCt-7YvKp}a(AI>PSHWP-2BL6X!F$v0ubjQ_;LrXz{?n=S8;vi&`Mb9}{*c>u
zM8W;xqmr4zC-2XkSg*uK2J2mONAC|l`q<0=z4y62ufbuIf)9U<Do<TL6Q5;(#mRfZ
zshveT^I{dhJcSu&Us_EfS8-DIz859Ue3%L{i0$*RU|};ShB>%|j{aaY{@pF<4!Ck1
z#Nurm=3o(J2O?SLdat=_TTsV|HOz%p;F$hs%==sV-?|azEzBh>L;3xYJiQ-TpF&9S
z;8}wGVGd!mqb+sN<|^A0ZJ0~#GG+quJl+`DXE*&7=F+?H@rTbmm@=`1xsF|AnWeb-
zxKl4eHsfWFMC&A<Xq`QX8(Oi1(uDl7#p{VrvM|@V%S!xAB*n;{a#~0X8;ZoPIODk6
z)6Ai~7ffIb>s%F6FzxN~qv><T8Fy=BZ*p_Xhq-PqbwzJaLD!PoS*_?m8l_EFjJ}rq
z39KW`<^53<NBXTT3wjZw+-JOwcw)>`Os;;{`SArGS*2(NoHJTM9+Aa$FTlPyv$f9N
zFvolfD{qWO_O(W)k&t*5;-zQ}HuieSE7~{>$(XQ@ocIW6@wm?OC`U87<J9l40(RI=
z<Nf-s_v_nXceciE-9>w@(cYb6s?U$7FBlbjTV%3r_Qr=on0psSB#mh%L@FPQ(mGQ<
zQ#&qbuKnidmokr_d>!Q`6dnOQF8mP@*g<4Tw()%w{TxrZ0e9^jLE8YXoh5t^Th)rF
zAHh|&gx}jBF@pJdDJ|K)8^00czw_h9w@Dnj{)4O7IAmtFoe(o^7n%|@%tTqfiJp6~
zh8e^GFT!V`d%@iXs;HGwINLBR;cblj%*z)c%{^A!Hq!tkV@*Z$4nV3HW!VeZk?kHC
z!>wQr@jnllL#P!|XuZFL$LAYuYh9?l^>c`-Wk|=?9>CbaXze~qxhHsoE^g+bHPmmx
z+A84Nk6GS&G8VDA30x@G(A$2-&fowW26d9Jq4(2n&(7dPn#3-y+iB=NjNS^$FzTnU
z?p0VwO*`FGW?&0%w+-w=dh%P}eQs%L4~{%M@o#|oaY!sd<|J$@+Za4@7`0=FiBZ^6
z!R$w{@(NljsPSzSWf-N3?-5v7N2#LJAXl>wJCE1UQ-<UizN@Z>5qAtDjzOx7kJnnq
zTh+DHF)Jm?&@_tg5=M=njTY1}`(eDXg?cM!=lmlmbvJ6#=^Ju((ZVuhNAa0}JtwfX
zX{@v6EE~g^66C0hbJrnTg?6r}gx_(@U&0LD+97D5PbSdHHd;xV-<*EFae5C~X6zSZ
z*S;@&JjQX={&p>%<cxUu_pcri5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z
z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p
z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo
z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z
z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p
z5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo
z0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z5fA|p5CIVo0TB=Z
Q5fA|p5CIVof!zuG56;F_H2?qr

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.json b/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.json
new file mode 100644
index 000000000..9e9d238b1
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-03-19T07:30:22.106629Z"
+        }
+      },
+      "EventRecordID": 47015,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-03-19 07:30:22.083",
+      "ProcessGuid": "0197231E-A60E-69BB-A327-000000000800",
+      "ProcessId": 7932,
+      "Image": "C:\\Windows\\System32\\OpenSSH\\sftp.exe",
+      "FileVersion": "9.5.2.1",
+      "Description": "-",
+      "Product": "OpenSSH for Windows",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "sftp  -o ProxyCommand=\"cmd /c c:\\windows\\system32\\calc.exe\" .",
+      "CurrentDirectory": "C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v10.0A\\bin\\NETFX 4.8.1 Tools\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
+      "LogonId": "0x3144c",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "High",
+      "Hashes": "MD5=24DB76A8F7C8487F76717912EFE9EACA,SHA256=59AC03B1BC557C8FC9C5FD3B5E653A2D8FA442A2258D7929F3BE7C017765A66D,IMPHASH=931A2C9F5941734CE383B10D0ADE83FD",
+      "ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
+      "ParentProcessId": 15816,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "cmd.exe",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
new file mode 100644
index 000000000..b1fa5e483
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
@@ -0,0 +1,13 @@
+id: 91d062f3-6256-4859-9f3f-bf2d01f32340
+description: N/A
+date: 2026-03-19
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
+      title: Indirect Command Execution via SFTP ProxyCommand
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/762bb580-79b4-40f4-8b9e-9349ce1710f4.evtx
diff --git a/rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml b/rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml
new file mode 100644
index 000000000..f080d2fe0
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml
@@ -0,0 +1,26 @@
+title: Indirect Command Execution via SFTP ProxyCommand
+id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
+status: experimental
+description: |
+    Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
+    Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Sftp/
+    - https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-27
+tags:
+    - attack.defense-evasion
+    - attack.t1202
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\sftp.exe'
+        CommandLine|contains: 'ProxyCommand='
+    condition: selection
+falsepositives:
+    - Legitimate use of SFTP with proxy commands for administration or networking tasks
+level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml