Product
Attackers are leveraging the Windows OpenSSH client (ssh.exe, sftp.exe) to proxy command execution and bypass application controls by executing commands such as powershell, schtasks, or cmd, indicating a defense evasion attempt.