Nasreddine Bencherchali
33 lines
902 B
YAML
33 lines
902 B
YAML
title: LOLBIN Execution Of The FTP.EXE Binary
|
|
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
|
|
status: test
|
|
description: Detects execution of ftp.exe script execution with the "-s" flag and any child processes ran by ftp.exe
|
|
references:
|
|
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
|
|
author: Victor Sergeev, oscd.community
|
|
date: 2020/10/09
|
|
modified: 2022/11/10
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059
|
|
- attack.defense_evasion
|
|
- attack.t1202
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection_parent:
|
|
ParentImage|endswith: '\ftp.exe'
|
|
selection_ftp_img:
|
|
- Image|endswith: '\ftp.exe'
|
|
- OriginalFileName: 'ftp.exe'
|
|
selection_ftp_cli:
|
|
CommandLine|contains: '-s:'
|
|
condition: selection_parent or all of selection_ftp_*
|
|
fields:
|
|
- CommandLine
|
|
- ParentImage
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|