From 387546895e297e005ec3d18ac801a6e05113c796 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Mon, 26 May 2025 22:48:15 +0545
Subject: [PATCH] feat: Indirect Command Execution via sftp.exe (#434)

* feat: Indirect Command Execution via sftp.exe

* Minor changes

* Improved description

* Update Sftp.yml

---------

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Sftp.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 yml/OSBinaries/Sftp.yml

diff --git a/yml/OSBinaries/Sftp.yml b/yml/OSBinaries/Sftp.yml
new file mode 100644
index 0000000..bdbb13a
--- /dev/null
+++ b/yml/OSBinaries/Sftp.yml
@@ -0,0 +1,26 @@
+---
+Name: Sftp.exe
+Description: sftp.exe is a Windows command-line utility that uses the Secure File Transfer Protocol (SFTP) to securely transfer files between a local machine and a remote server.
+Author: Swachchhanda Shrawan Poudel
+Created: 2025-05-13
+Commands:
+  - Command: sftp -o ProxyCommand="{CMD}" .
+    Description: "Spawns ssh.exe which in turn spawns the specified command line. See also this project's entry for ssh.exe."
+    Usecase: Proxy execution of specified command, can be used as a defensive evasion.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: CMD
+Full_Path:
+  - Path: C:\Windows\System32\OpenSSH\sftp.exe
+Detection:
+  - IOC: sftp.exe executions with ProxyCommand on the command line
+  - IOC: sftp.exe spawning ssh.exe with ProxyCommand on the command line
+  - Sigma: https://github.com/SigmaHQ/sigma/pull/5414/files
+Resources:
+  - Link: https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
+Acknowledgement:
+  - Person: Swachchhanda Shrawan Poudel
+    Handle: '@_swachchhanda_'