This detection rule targets the Windows SFTP client, "sftp.exe", which can be weaponized by malicious actors to facilitate stealthy data exfiltration or command and control (C2) operations. The rule specifically looks for occurrences where "sftp.exe" is executed with the "-D" command-line flag, often used to create an SFTP server endpoint. By detecting when this binary is used in a manner that is atypical or unsuitable for legitimate operations, the rule aims to highlight potential security incidents involving shadow IT or legitimate-looking tool misuse. The threat actors may leverage this functionality to obfuscate their activities, making this a critical detection point within the realm of defense evasion tactics.