Title:Indirect Command Execution via SFTP ProxyCommand Status:experimental Description:Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
References: -https://lolbas-project.github.io/lolbas/Binaries/Sftp/ -https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/ Author: Swachchhanda Shrawan Poudel (Nextron Systems) Date: 2026-04-27 modified:None Tags:
-'attack.defense-evasion'
-'attack.t1202'
Logsource:
category: process_creation
product: windows
Detection: selection: Image|endswith:
'\sftp.exe' CommandLine|contains:
'ProxyCommand=' condition:selection Falsepositives:
-Legitimate use of SFTP with proxy commands for administration or networking tasks Level:medium
