Detectionmediumtest
Use Of The SFTP.EXE Binary As A LOLBIN
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Nov 10a85ffc3a-e8fd-4040-93bf-78aff284d801windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith: '\sftp.exe' # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :(
CommandLine|contains:
# Since "-D" is a valid flag for other usage we assume the user is going to enter a path
# Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe"
# In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)
- ' -D ..'
- ' -D C:\'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Rule Metadata
Rule ID
a85ffc3a-e8fd-4040-93bf-78aff284d801
Status
test
Level
medium
Type
Detection
Created
Thu Nov 10
Path
rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml
Raw Tags
attack.defense-evasionattack.executionattack.t1218