From e803bc7635ebd4bebac4d30e806937fc58151910 Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Mon, 14 Nov 2022 13:45:59 +0700
Subject: [PATCH] Update sftp.yml

* Added another way of using sftp for execution
* Added Download functionality
---
 yml/OSBinaries/sftp.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/yml/OSBinaries/sftp.yml b/yml/OSBinaries/sftp.yml
index 22396c9..7159022 100644
--- a/yml/OSBinaries/sftp.yml
+++ b/yml/OSBinaries/sftp.yml
@@ -11,10 +11,25 @@ Commands:
     Privileges: User
     MitreID: T1202
     OperatingSystem: Windows 10, Windows 11
+  - Command: "sftp -S c:\\windows\\system32\\notepad.exe localhost"
+    Description: Execute notepad.exe with sftp.exe as parent process
+    Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
+  - Command: "sftp <ftp_user>@<ftp_Server_ip>:<path_of_file_to_download> <path_to_save_file>"
+    Description: Download file with sftp.exe from an FTP server
+    Usecase: Use sftp.exe as a proxy binary to evade defensive counter-measures. If needed, you will be asked to submit a password for the sFTP session.
+    Category: Download
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: c:\windows\system32\OpenSSH\sftp.exe
 Detection:
   - IOC: sftp.exe spawning unexpected processes
+  - IOC: Suspicious sFTP internet/network traffic
 Acknowledgement:
   - Person: 'Nir Chako (Pentera)'
     Handle: '@C_h4ck_0'