Indirect Command Execution via SFTP ProxyCommand

Rule Info

Name
Indirect Command Execution via SFTP ProxyCommand
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
Reference
https://lolbas-project.github.io/lolbas/Binaries/Sftp/
Date
2026-04-27 00:00:00
Modified
None
Id
762bb580-79b4-40f4-8b9e-9349ce1710f4
Tags
attack.stealth attack.t1202
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=762bb580-79b4-40f4-8b9e-9349ce1710f4

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Swachchhanda Shrawan Poudel
Merge PR #5414 from @swachchhanda000 - Add `Indirect Command Execution via SFTP ProxyCommand`
2026-04-28
ff107c3fe
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022