Techniques
Sample rules
Indirect Command Execution via SFTP ProxyCommand
- source: sigma
- technicques:
- t1202
Description
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
Detection logic
condition: selection
selection:
CommandLine|contains: ProxyCommand=
Image|endswith: \sftp.exe