Indirect Command Execution via SFTP ProxyCommand

Hunt Hypothesis

Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitra

Detection Rule

Sigma (Original)

title: Indirect Command Execution via SFTP ProxyCommand
id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
status: experimental
description: |
    Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
    Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Sftp/
    - https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sftp.exe'
        CommandLine|contains: 'ProxyCommand='
    condition: selection
falsepositives:
    - Legitimate use of SFTP with proxy commands for administration or networking tasks
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\sftp.exe" and TargetProcessCommandLine contains "ProxyCommand="

Required Data Sources

False Positive Guidance

• Legitimate use of SFTP with proxy commands for administration or networking tasks

MITRE ATT&CK Context

• Technique: T1202 — T1202

References

• https://lolbas-project.github.io/lolbas/Binaries/Sftp/
• https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
• SigmaHQ Rule