Skip to content

Indirect Command Execution via SFTP ProxyCommand#5414

Open
swachchhanda000 wants to merge 5 commits intoSigmaHQ:masterfrom
swachchhanda000:sftp
Open

Indirect Command Execution via SFTP ProxyCommand#5414
swachchhanda000 wants to merge 5 commits intoSigmaHQ:masterfrom
swachchhanda000:sftp

Conversation

@swachchhanda000
Copy link
Collaborator

@swachchhanda000 swachchhanda000 commented May 13, 2025
edited
Loading

Summary of the Pull Request

Indirect Command Execution via SFTP ProxyCommand

Changelog

new: Indirect Command Execution via SFTP ProxyCommand

Example Log Event

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" /> 
  <EventID>1</EventID> 
  <Version>5</Version> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2025-05-13T14:43:50.4269510Z" /> 
  <EventRecordID>17654</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="3208" ThreadID="1724" /> 
  <Channel>Microsoft-Windows-Sysmon/Operational</Channel> 
  <Computer>swachchhanda</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
<EventData>
  <Data Name="RuleName">-</Data> 
  <Data Name="UtcTime">2025-05-13 14:43:50.415</Data> 
  <Data Name="ProcessGuid">{0197231e-5aa6-6823-b610-000000000800}</Data> 
  <Data Name="ProcessId">6588</Data> 
  <Data Name="Image">C:\Windows\System32\OpenSSH\ssh.exe</Data> 
  <Data Name="FileVersion">9.5.2.1</Data> 
  <Data Name="Description">-</Data> 
  <Data Name="Product">OpenSSH for Windows</Data> 
  <Data Name="Company">-</Data> 
  <Data Name="OriginalFileName">-</Data> 
  <Data Name="CommandLine">"C:\WINDOWS\System32\OpenSSH\ssh.exe" "-oForwardX11 no" "-oPermitLocalCommand no" "-oClearAllForwardings yes" -o "ProxyCommand=cmd /c c:\windows\system32\calc.exe" "-oForwardAgent no" -s -- . sftp</Data> 
  <Data Name="CurrentDirectory">C:\Users\xodih\</Data> 
  <Data Name="User">swachchhanda\xodih</Data> 
  <Data Name="LogonGuid">{0197231e-ab9f-67aa-fb17-030000000000}</Data> 
  <Data Name="LogonId">0x317fb</Data> 
  <Data Name="TerminalSessionId">1</Data> 
  <Data Name="IntegrityLevel">Medium</Data> 
  <Data Name="Hashes">MD5=F37C7F3294E2E33BC57CAD0766B02143,SHA256=CC714B30CCACAA9D8AFC24BD2BEC289FD5309F545CDDA8F32BE71ED430456271,IMPHASH=4A7047D5E5FF72B10C6205EDC23D6E7E</Data> 
  <Data Name="ParentProcessGuid">{0197231e-5aa6-6823-b510-000000000800}</Data> 
  <Data Name="ParentProcessId">2628</Data> 
  <Data Name="ParentImage">C:\Windows\System32\OpenSSH\sftp.exe</Data> 
  <Data Name="ParentCommandLine">sftp -o ProxyCommand="cmd /c c:\windows\system32\calc.exe" .</Data> 
  <Data Name="ParentUser">swachchhanda\xodih</Data> 
  </EventData>
  </Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels May 13, 2025
nasbench
nasbench reviewed Oct 20, 2025
View reviewed changes
rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution.yml Outdated
Comment on lines +19 to +25
selection_img:
Image|endswith: '\sftp.exe'
CommandLine|contains: 'ProxyCommand='
selection_child:
Image|endswith: '\ssh.exe'
CommandLine|contains: 'ProxyCommand='
CommandLine|endswith: 'sftp'
Copy link
Member

@nasbench nasbench Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently these 2 overlaps. Did you mean sftp as a parent?

Also we already have coverage for ssh proxy command

Copy link
Collaborator Author

@swachchhanda000 swachchhanda000 Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, when sftp is parent you see sftp in commandline

Copy link
Collaborator Author

@swachchhanda000 swachchhanda000 Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right, removing this slection

@phantinuss phantinuss added Review Needed The PR requires review and removed 2nd Review Needed labels Nov 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench left review comments

@frack113 frack113 frack113 approved these changes

@phantinuss phantinuss phantinuss approved these changes

Assignees

No one assigned

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@swachchhanda000 @nasbench @frack113 @phantinuss