Renamed FTP.EXE Execution
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
Sigma rule (View on GitHub)
1title: Renamed FTP.EXE Execution
2id: 277a4393-446c-449a-b0ed-7fdc7795244c
3status: test
4description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
7author: Victor Sergeev, oscd.community
8date: 2020-10-09
9modified: 2023-02-03
10tags:
11 - attack.execution
12 - attack.t1059
13 - attack.defense-evasion
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_original:
20 OriginalFileName: 'ftp.exe'
21 filter_img:
22 Image|endswith: '\ftp.exe'
23 condition: selection_original and not filter_img
24fields:
25 - CommandLine
26 - ParentImage
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Potential Arbitrary Command Execution Via FTP.EXE
- Renamed NirCmd.EXE Execution
- Suspicious Runscripthelper.exe
- Add Insecure Download Source To Winget
- Add New Download Source To Winget