This experimental Windows process-creation rule detects indirect command execution using the SFTP client (sftp.exe) via the ProxyCommand parameter. Threat actors have leveraged this legitimate binary to bypass security controls and execute arbitrary commands, enabling activity that may evade detection by traditional command shells. The rule triggers when the process image ends with \sftp.exe and the command line contains ProxyCommand=, indicating an attempt to delegate command execution through a proxy mechanism. This pattern aligns with defense-evasion techniques (TTPs around indirect command execution and LOLBins usage) and is intended to flag suspicious proxying behavior that could precede data exfiltration, lateral movement, or command execution tasks. The rule uses Windows process creation events and analyzes the process image alongside command line parameters to identify this abuse. It is marked as medium risk and experimental, with a regression test path and a stated false-positive risk for legitimate administrative or networking tasks that legitimately invoke SFTP with proxy commands.