Use Of The SFTP.EXE Binary As A LOLBIN

Rule Info

Id
a85ffc3a-e8fd-4040-93bf-78aff284d801
Author
Nasreddine Bencherchali
Name
Use Of The SFTP.EXE Binary As A LOLBIN
Tags
attack.defense_evasion attack.t1218 attack.execution DEMO
Date
2022-11-10 00:00:00
Modified
None
Description
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Type
Community Rule

Rule History

Author
Date
Commit
Title
Nasreddine Bencherchali
2022-11-11
fix: apply suggestions from code review
Nasreddine Bencherchali
2022-11-10
fix: fix duplicates in id field
Nasreddine Bencherchali
2022-11-10
feat: new sftp lolbin rule