sigmamediumHunting

Use Of The SFTP.EXE Binary As A LOLBIN

Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag

MITRE ATT&CK

execution

Detection Query

selection:
  Image|endswith: \sftp.exe
  CommandLine|contains:
    - " -D .."
    - " -D C:\\"
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-11-10

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/LOLBAS-Project/LOLBAS/pull/264

Tags

attack.executionattack.stealthattack.t1218

Raw Content

title: Use Of The SFTP.EXE Binary As A LOLBIN
id: a85ffc3a-e8fd-4040-93bf-78aff284d801
status: test
description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sftp.exe' # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :(
        CommandLine|contains:
            # Since "-D" is a valid flag for other usage we assume the user is going to enter a path
            # Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe"
            # In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)
            - ' -D ..'
            - ' -D C:\'
    condition: selection
falsepositives:
    - Unknown
level: medium