public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-06-20 18:45:12 +02:00
Code Issues Projects Releases Wiki Activity

feat: Indirect Command Execution via sftp.exe (#434)

Browse Source 
* feat: Indirect Command Execution via sftp.exe

* Minor changes

* Improved description

* Update Sftp.yml

---------

Co-authored-by: Wietze <wietze@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel 2025-05-26 22:48:15 +05:45 committed by GitHub
parent 373d0a52bb
commit 387546895e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
yml/OSBinaries/Sftp.yml Normal file
View File

@ -0,0 +1,26 @@
---
Name: Sftp.exe
Description: sftp.exe is a Windows command-line utility that uses the Secure File Transfer Protocol (SFTP) to securely transfer files between a local machine and a remote server.
Author: Swachchhanda Shrawan Poudel
Created: 2025-05-13
Commands:
- Command: sftp -o ProxyCommand="{CMD}" .
Description: "Spawns ssh.exe which in turn spawns the specified command line. See also this project's entry for ssh.exe."
Usecase: Proxy execution of specified command, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\OpenSSH\sftp.exe
Detection:
- IOC: sftp.exe executions with ProxyCommand on the command line
- IOC: sftp.exe spawning ssh.exe with ProxyCommand on the command line
- Sigma: https://github.com/SigmaHQ/sigma/pull/5414/files
Resources:
- Link: https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
Acknowledgement:
- Person: Swachchhanda Shrawan Poudel
Handle: '@_swachchhanda_'