add new selection block

swachchhanda000 · swachchhanda000 · commit 51c94acffa79 · 2025-05-13T20:45:22.000+05:45
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution.yml
@@ -15,10 +15,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_img:
         Image|endswith: '\sftp.exe'
         CommandLine|contains: 'ProxyCommand='
-    condition: selection
+    selection_child:
+        Image|endswith: '\ssh.exe'
+        CommandLine|contains: 'ProxyCommand='
+        CommandLine|endswith: 'sftp'
+    condition: 1 of selection_*
 falsepositives:
     - Legitimate use of SFTP with proxy commands for administration or networking tasks
 level: high
