Potential Arbitrary Command Execution Via FTP.EXE

calendar Apr 26, 2024 · attack.execution attack.t1059 attack.defense_evasion attack.t1202  ·
Share on: linkedin copy

Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".

Sigma rule (View on GitHub)

 1title: Potential Arbitrary Command Execution Via FTP.EXE
 2id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
 3status: test
 4description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
 7author: Victor Sergeev, oscd.community
 8date: 2020/10/09
 9modified: 2024/04/23
10tags:
11    - attack.execution
12    - attack.t1059
13    - attack.defense_evasion
14    - attack.t1202
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_parent:
20        ParentImage|endswith: '\ftp.exe'
21    selection_child_img:
22        - Image|endswith: '\ftp.exe'
23        - OriginalFileName: 'ftp.exe'
24    selection_child_cli:
25        CommandLine|contains|windash: '-s:'
26    condition: selection_parent or all of selection_child_*
27falsepositives:
28    - Unknown
29level: medium

References

  • Ftp | LOLBAS

    Executes the commands you put inside the text file. echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt Use caseSpawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand Privileges re...


    Read More

Related rules

to-top