Use Of The SFTP.EXE Binary As A LOLBIN
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Sigma rule (View on GitHub)
1title: Use Of The SFTP.EXE Binary As A LOLBIN
2id: a85ffc3a-e8fd-4040-93bf-78aff284d801
3status: test
4description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
5references:
6 - https://github.com/LOLBAS-Project/LOLBAS/pull/264
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-11-10
9tags:
10 - attack.defense-evasion
11 - attack.execution
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\sftp.exe' # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :(
19 CommandLine|contains:
20 # Since "-D" is a valid flag for other usage we assume the user is going to enter a path
21 # Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe"
22 # In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)
23 - ' -D ..'
24 - ' -D C:\'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Binary Proxy Execution Via Dotnet-Trace.EXE