Renamed FTP.EXE Execution

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Sigma rule (View on GitHub)

 1title: Renamed FTP.EXE Execution
 2id: 277a4393-446c-449a-b0ed-7fdc7795244c
 3status: test
 4description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
 7author: Victor Sergeev, oscd.community
 8date: 2020/10/09
 9modified: 2023/02/03
10tags:
11    - attack.execution
12    - attack.t1059
13    - attack.defense_evasion
14    - attack.t1202
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_original:
20        OriginalFileName: 'ftp.exe'
21    filter_img:
22        Image|endswith: '\ftp.exe'
23    condition: selection_original and not filter_img
24fields:
25    - CommandLine
26    - ParentImage
27falsepositives:
28    - Unknown
29level: medium

References

Related rules

to-top