Potential Arbitrary Command Execution Via FTP.EXE

calendar Aug 12, 2024 · attack.execution attack.t1059 attack.defense-evasion attack.t1202  ·
Share on: linkedin copy

Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".

Sigma rule (View on GitHub)

 1title: Potential Arbitrary Command Execution Via FTP.EXE
 2id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
 3status: test
 4description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
 7author: Victor Sergeev, oscd.community
 8date: 2020-10-09
 9modified: 2024-04-23
10tags:
11    - attack.execution
12    - attack.t1059
13    - attack.defense-evasion
14    - attack.t1202
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_parent:
20        ParentImage|endswith: '\ftp.exe'
21    selection_child_img:
22        - Image|endswith: '\ftp.exe'
23        - OriginalFileName: 'ftp.exe'
24    selection_child_cli:
25        CommandLine|contains|windash: '-s:'
26    condition: selection_parent or all of selection_child_*
27falsepositives:
28    - Unknown
29level: medium

References

  • Ftp on LOLBAS

    Ftp.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top