Use Of The SFTP.EXE Binary As A LOLBIN

Rule Info

Name
Use Of The SFTP.EXE Binary As A LOLBIN
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Reference
https://github.com/LOLBAS-Project/LOLBAS/pull/264
Date
2022-11-10 00:00:00
Modified
None
Id
a85ffc3a-e8fd-4040-93bf-78aff284d801
Tags
attack.defense_evasion attack.execution attack.t1218 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=a85ffc3a-e8fd-4040-93bf-78aff284d801

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
020fc8061
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
fix: apply suggestions from code review
2022-11-11
04b7b92b6
Nasreddine Bencherchali
fix: fix duplicates in id field
2022-11-10
ddf7f1b34
Nasreddine Bencherchali
feat: new sftp lolbin rule
2022-11-10
c102b26bc
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022