Skip to content

Add rule: indirect command execution via scp.exe#6104

Open
ashish-cybersec wants to merge 1 commit into
SigmaHQ:masterfrom
ashish-cybersec:detect-scp-lolbin-indirect-execution
Open

Add rule: indirect command execution via scp.exe#6104
ashish-cybersec wants to merge 1 commit into
SigmaHQ:masterfrom
ashish-cybersec:detect-scp-lolbin-indirect-execution

Conversation

@ashish-cybersec

Copy link
Copy Markdown

Summary of the Pull Request

new: Adds a rule to detect indirect command execution via the OpenSSH scp.exe client, using the -S option or a ProxyCommand to run arbitrary programs as an execution proxy. scp.exe had no existing coverage; this completes the OpenSSH client LOLBin family alongside the existing sftp.exe and ssh.exe rules.

Changelog

new: Indirect Command Execution Via Scp.EXE

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant