PUA - WinSCP Execution

Swachchhanda Shrawan Poudel (Nextron Systems)

Detects execution of WinSCP, a popular open-source SFTP clientthat can be used to transfer files between systems. Adversaries have been known to abuse WinSCP for data exfiltration by transferring files to remote servers. This rule might have false positives as WinSCP is very popular and widely used SFTP client, so it is possible that it may be installed on systems for legitimate purposes. But, If you see execution of WinSCP on the computers that you don't usually expects like accounting or finance departments etc., this warrants further investigation as it could be a sign of data exfiltration.

2025-04-08 00:00:00

None

5f4b9012-5f6d-4c9a-8c5e-7e4f57f2e0c0

attack.exfiltration attack.t1567

Nextron Sigma feed only (private)