Renamed FTP.EXE Execution

calendar Aug 12, 2024 · attack.execution attack.t1059 attack.defense-evasion attack.t1202  ·
Share on: linkedin copy

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Sigma rule (View on GitHub)

 1title: Renamed FTP.EXE Execution
 2id: 277a4393-446c-449a-b0ed-7fdc7795244c
 3status: test
 4description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
 7author: Victor Sergeev, oscd.community
 8date: 2020-10-09
 9modified: 2023-02-03
10tags:
11    - attack.execution
12    - attack.t1059
13    - attack.defense-evasion
14    - attack.t1202
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_original:
20        OriginalFileName: 'ftp.exe'
21    filter_img:
22        Image|endswith: '\ftp.exe'
23    condition: selection_original and not filter_img
24fields:
25    - CommandLine
26    - ParentImage
27falsepositives:
28    - Unknown
29level: medium

References

  • Ftp on LOLBAS

    Ftp.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top