← Back to SOC feed Coverage →

Use Of The SFTP.EXE Binary As A LOLBIN

sigma MEDIUM SigmaHQ
T1218
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-10T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the usage of the “sftp.exe” binary as a LOLBIN by abusing the “-D” flag

Detection Rule

Sigma (Original)

title: Use Of The SFTP.EXE Binary As A LOLBIN
id: a85ffc3a-e8fd-4040-93bf-78aff284d801
status: test
description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sftp.exe' # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :(
        CommandLine|contains:
            # Since "-D" is a valid flag for other usage we assume the user is going to enter a path
            # Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe"
            # In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)
            - ' -D ..'
            - ' -D C:\'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\sftp.exe" and (TargetProcessCommandLine contains " -D .." or TargetProcessCommandLine contains " -D C:\\")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml