Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
Sigma rule (View on GitHub)
1title: Indirect Command Execution via SFTP ProxyCommand
2id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
3status: experimental
4description: |
5 Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
6 Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/Sftp/
9 - https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2026-04-27
12tags:
13 - attack.stealth
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\sftp.exe'
21 CommandLine|contains: 'ProxyCommand='
22 condition: selection
23falsepositives:
24 - Legitimate use of SFTP with proxy commands for administration or networking tasks
25level: medium
26regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
References
Related rules
- Custom File Open Handler Executes PowerShell
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE