← Back to Explore
sigmamediumHunting
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
MITRE ATT&CK
Detection Query
selection:
Image|endswith: \sftp.exe
CommandLine|contains: ProxyCommand=
condition: selection
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2026-04-27
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.stealthattack.t1202
Raw Content
title: Indirect Command Execution via SFTP ProxyCommand
id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
status: experimental
description: |
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Sftp/
- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sftp.exe'
CommandLine|contains: 'ProxyCommand='
condition: selection
falsepositives:
- Legitimate use of SFTP with proxy commands for administration or networking tasks
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml