Potential Arbitrary Command Execution Via FTP.EXE
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
Sigma rule (View on GitHub)
1title: Potential Arbitrary Command Execution Via FTP.EXE
2id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
3status: test
4description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
7author: Victor Sergeev, oscd.community
8date: 2020-10-09
9modified: 2024-04-23
10tags:
11 - attack.execution
12 - attack.t1059
13 - attack.defense-evasion
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_parent:
20 ParentImage|endswith: '\ftp.exe'
21 selection_child_img:
22 - Image|endswith: '\ftp.exe'
23 - OriginalFileName: 'ftp.exe'
24 selection_child_cli:
25 CommandLine|contains|windash: '-s:'
26 condition: selection_parent or all of selection_child_*
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Renamed FTP.EXE Execution
- Renamed NirCmd.EXE Execution
- Suspicious Runscripthelper.exe
- Add Insecure Download Source To Winget
- Add New Download Source To Winget