Use Of The SFTP.EXE Binary As A LOLBIN

Oct 17, 2023 · attack.defense_evasion attack.execution attack.t1218 ·

Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag

Sigma rule (View on GitHub)

 1title: Use Of The SFTP.EXE Binary As A LOLBIN
 2id: a85ffc3a-e8fd-4040-93bf-78aff284d801
 3status: test
 4description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
 5references:
 6    - https://github.com/LOLBAS-Project/LOLBAS/pull/264
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/11/10
 9tags:
10    - attack.defense_evasion
11    - attack.execution
12    - attack.t1218
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\sftp.exe' # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :(
19        CommandLine|contains:
20            # Since "-D" is a valid flag for other usage we assume the user is going to enter a path
21            # Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe"
22            # In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)
23            - ' -D ..'
24            - ' -D C:\'
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium

References

Add sftp.exe executor/downloader and Outlook.exe downloader by C-h4ck-0 · Pull Request #264 · LOLBAS-Project/LOLBAS

c:\windows\system32\openssh\sftp.exe with the -D flag, is able to execute another exe file

Read More

Use Of The SFTP.EXE Binary As A LOLBIN

Sigma rule (View on GitHub)

References

Add sftp.exe executor/downloader and Outlook.exe downloader by C-h4ck-0 · Pull Request #264 · LOLBAS-Project/LOLBAS

Related rules