1. Home
  2. Techniques
  3. Enterprise
  4. Application Layer Protocol
  5. File Transfer Protocols

Application Layer Protocol: File Transfer Protocols

ID Name
T1071.001 Web Protocols
T1071.002 File Transfer Protocols
T1071.003 Mail Protocols
T1071.004 DNS
T1071.005 Publish/Subscribe Protocols

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMB[1], FTP[2], FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

ID: T1071.002
Sub-technique of:  T1071
Tactic: Command and Control
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Contributors: Don Le, Stifel Financial
Version: 1.4
Created: 15 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0096 APT41

APT41 used exploit payloads that initiate download via ftp.[3]
S0438 Attor

Attor has used FTP protocol for C2 communication.[4]
S1081 BADHATCH

BADHATCH can emulate an FTP server to connect to actor-controlled C2 servers.[5]
S0465 CARROTBALL

CARROTBALL has the ability to use FTP in C2 communications.[6]
S0154 Cobalt Strike

Cobalt Strike can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.[7][8]
S1088 Disco

Disco can use SMB to transfer files.[9]
G0035 Dragonfly

Dragonfly has used SMB for C2.[1]
S1229 Havoc

Havoc can use an SMB listener for C2 communication.[10][11][12]
S0201 JPIN

JPIN can communicate over FTP.[13]
S0265 Kazuar

Kazuar uses FTP and FTPS to communicate with the C2 server.[14]
G0094 Kimsuky

Kimsuky has used FTP to download additional malware to the target machine.[15]
S0409 Machete

Machete uses FTP for Command & Control.[2][16][17]
S0699 Mythic

Mythic supports SMB-based peer-to-peer C2 profiles.[18]

S0353 NOKKI

NOKKI has used FTP for C2 communications.[19]
C0006 Operation Honeybee

During Operation Honeybee, the threat actors had the ability to use FTP for C2.[20]
S0428 PoetRAT

PoetRAT has used FTP for C2 communications.[21]
S1228 PUBLOAD

PUBLOAD has used curl for data exfiltration over FTP.[22]
C0055 Quad7 Activity

Quad7 Activity has used a File Transfer Protocol (FTP) server to download malicious binaries.[23]
S0019 Regin

The Regin malware platform supports many standard protocols, including SMB.[24]
S0596 ShadowPad

ShadowPad has used FTP for C2 communications.[25]
S1089 SharpDisco

SharpDisco has the ability to transfer data between SMB shares.[9]
G0083 SilverTerrier

SilverTerrier uses FTP for C2 communications.[26]

S0464 SYSCON

SYSCON has the ability to use FTP in C2 communications.[27][6]
S0161 XAgentOSX

XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.[28]
S0412 ZxShell

ZxShell has used FTP for C2 connections.[29]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Filter outbound FTP/SFTP traffic from sensitive systems, allowing file transfers only to trusted internal or known IP addresses. This measure can prevent attackers from transferring data or payloads via FTP/SFTP channels to or from unauthorized external systems.
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0416 Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP) AN1169

Detects FTP, SMB, or TFTP traffic initiated by suspicious processes like PowerShell, cmd.exe, or rundll32.exe—especially with large outbound file transfers or unbalanced traffic volume.
AN1170

Detects usage of FTP, SCP, or TFTP by non-interactive shells or automation scripts transferring large data volumes to untrusted IPs.
AN1171

Detects Automator, AppleScript, or Terminal executing curl, lftp, or TFTP for binary transfer to untrusted IPs or unusual ports.
AN1172

Detects file movement or outbound TFTP/FTP transfers from ESXi host initiated via shell commands or injected scripts, particularly from scratch partitions or /tmp.
AN1173

Detects internal hosts generating large outbound FTP/TFTP/SMB sessions to external IPs, or file transfers using non-standard ports and application mismatches (e.g., FTP over port 80).

References

  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  3. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  4. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  5. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  6. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  7. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  8. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  9. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  10. Ungur, P. (n.d.). HAVOC. Retrieved August 4, 2025.
  11. Shivtarkar, N. and Jain, S. (2023, February 14). Havoc Across the Cyberspace. Retrieved August 4, 2025.
  12. Immersive Content Team. (2024, April 9). Havoc C2 Framework – A Defensive Operator’s Guide. Retrieved August 13, 2025.
  13. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  14. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  15. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  1. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  2. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  3. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  4. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  5. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  6. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  7. Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.
  8. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025.
  9. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  10. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  11. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  12. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  13. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  14. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.