From 860246fe1816001b186ab4f5e0347b81918ffd3c Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Sun, 6 Nov 2022 20:19:45 +0700
Subject: [PATCH] Add sftp.exe executor

c:\windows\system32\openssh\sftp.exe with the -D flag, is able to execute another exe file
---
 yml/OSBinaries/sftp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 yml/OSBinaries/sftp

diff --git a/yml/OSBinaries/sftp b/yml/OSBinaries/sftp
new file mode 100644
index 0000000..114b9f3
--- /dev/null
+++ b/yml/OSBinaries/sftp
@@ -0,0 +1,20 @@
+---
+Name: sftp.exe
+Description: SSH File Transfer Protocol
+Author: Nir Chako
+Created: 2022-11-06
+Commands:
+  - Command: "sftp -D c:\windows\system32\notepad.exe"
+    Description: Execute notepad.exe with sftp.exe as parent process
+    Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: c:\windows\system32\OpenSSH\sftp.exe
+Detection:
+  - IOC: sftp.exe spawning unexpected processes
+Acknowledgement:
+  - Person: 'Nir Chako (Pentera)'
+    Handle: '@C_h4ck_0'