Indirect Command Execution via SFTP ProxyCommand (762bb580-79b4-40f4-8b9e-9349ce1710f4)
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) | Attack Pattern | Indirect Command Execution via SFTP ProxyCommand (762bb580-79b4-40f4-8b9e-9349ce1710f4) | Sigma-Rules | 1 |