mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-06-20 18:45:12 +02:00
387546895e
* feat: Indirect Command Execution via sftp.exe * Minor changes * Improved description * Update Sftp.yml --------- Co-authored-by: Wietze <wietze@users.noreply.github.com>
27 lines
1.1 KiB
YAML
27 lines
1.1 KiB
YAML
---
|
|
Name: Sftp.exe
|
|
Description: sftp.exe is a Windows command-line utility that uses the Secure File Transfer Protocol (SFTP) to securely transfer files between a local machine and a remote server.
|
|
Author: Swachchhanda Shrawan Poudel
|
|
Created: 2025-05-13
|
|
Commands:
|
|
- Command: sftp -o ProxyCommand="{CMD}" .
|
|
Description: "Spawns ssh.exe which in turn spawns the specified command line. See also this project's entry for ssh.exe."
|
|
Usecase: Proxy execution of specified command, can be used as a defensive evasion.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1202
|
|
OperatingSystem: Windows 10, Windows 11
|
|
Tags:
|
|
- Execute: CMD
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\OpenSSH\sftp.exe
|
|
Detection:
|
|
- IOC: sftp.exe executions with ProxyCommand on the command line
|
|
- IOC: sftp.exe spawning ssh.exe with ProxyCommand on the command line
|
|
- Sigma: https://github.com/SigmaHQ/sigma/pull/5414/files
|
|
Resources:
|
|
- Link: https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
|
|
Acknowledgement:
|
|
- Person: Swachchhanda Shrawan Poudel
|
|
Handle: '@_swachchhanda_'
|