Detectionmediumexperimental

Indirect Command Execution via SFTP ProxyCommand

Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Apr 27762bb580-79b4-40f4-8b9e-9349ce1710f4windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\sftp.exe'
        CommandLine|contains: 'ProxyCommand='
    condition: selection

False Positives

Legitimate use of SFTP with proxy commands for administration or networking tasks

References

Resolving title…

lolbas-project.github.io

Resolving title…

news.sophos.com

Testing & Validation

Regression Tests

by Swachchhanda Shrawan Poudel (Nextron Systems)

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1202 · Indirect Command Execution

Rule Metadata

Rule ID

762bb580-79b4-40f4-8b9e-9349ce1710f4

Status

experimental

Level

medium

Type

Detection

Created

Mon Apr 27

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_sftp_proxy_command_execution.yml

Raw Tags

attack.defense-evasionattack.t1202

View on GitHub