Application Layer Protocol: File Transfer Protocols

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as FTP, FTPS, and TFPT that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

ID: T1071.002
Sub-technique of:  T1071
Tactic: Command And Control
Platforms: Linux, Windows, macOS
Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Version: 1.0
Created: 15 March 2020
Last Modified: 26 March 2020

Procedure Examples

Name Description
APT41

APT41 used exploit payloads that initiate download via FTP.[13]

Attor

Attor has used FTP protocol for C2 communication.[8]

CARROTBALL

CARROTBALL has the ability to use FTP in C2 communications.[1]

Honeybee

Honeybee uses FTP for command and control.[10]

JPIN

JPIN can communicate over FTP.[2]

Kazuar

Kazuar uses FTP and FTPS to communicate with the C2 server.[6]

Machete

Machete uses FTP for Command & Control.[5]

Machete

Machete malware used FTP for C2.[11]

NOKKI

NOKKI has used FTP for C2 communications.[4]

SilverTerrier

SilverTerrier uses FTP for C2 communications.[12]

SYSCON

SYSCON has the ability to use FTP in C2 communications.[9][1]

XAgentOSX

XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.[3]

ZxShell

ZxShell has used FTP for C2 connections.[7]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.[14]

References