T1071.002 File Transfer Protocols Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
// Detect anomalous FTP/SMB/TFTP connections to external IPs
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemotePort in (20, 21, 445, 139, 69, 990)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| summarize
    ConnectionCount = count(),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, AccountName
| extend Protocol = case(
    RemotePort in (20, 21, 990), "FTP/FTPS",
    RemotePort in (445, 139), "SMB",
    RemotePort == 69, "TFTP",
    "Unknown")
| where ConnectionCount > 3
| project LastSeen, DeviceName, AccountName, InitiatingProcessFileName, RemoteIP, RemotePort, Protocol, ConnectionCount, BytesSent, BytesReceived, FirstSeen
| sort by ConnectionCount desc

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate FTP file transfers to external vendors or partner organizations (common in manufacturing, healthcare, and finance)
SFTP/FTPS connections to cloud-hosted file exchange platforms (e.g., GoAnywhere, MOVEit)
SMB connections through VPN tunnels to remote offices that appear as public IPs before NAT
Automated backup scripts that upload to external FTP servers

Splunk

spl

index=network OR index=firewall sourcetype IN ("stream:ftp", "stream:smb", "pan:traffic", "cisco:asa")
  (dest_port IN (20, 21, 445, 139, 69, 990))
  action=allowed
  NOT (dest_ip="10.*" OR dest_ip="172.16.*" OR dest_ip="192.168.*" OR dest_ip="127.*")
| eval Protocol=case(
    dest_port IN (20, 21, 990), "FTP/FTPS",
    dest_port IN (445, 139), "SMB",
    dest_port=69, "TFTP",
    1=1, "Unknown")
| stats count as ConnectionCount, sum(bytes_out) as BytesSent, sum(bytes_in) as BytesReceived, earliest(_time) as FirstSeen, latest(_time) as LastSeen, values(user) as Users by src_ip, dest_ip, dest_port, Protocol, process_name
| where ConnectionCount > 3
| eval ExfilRisk=if(BytesSent > 10485760, "HIGH", if(BytesSent > 1048576, "MEDIUM", "LOW"))
| table FirstSeen, LastSeen, src_ip, dest_ip, dest_port, Protocol, process_name, Users, ConnectionCount, BytesSent, BytesReceived, ExfilRisk
| sort - ConnectionCount

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Firewall Logs Network Stream Data

Required Sourcetypes

stream:ftp stream:smb pan:traffic cisco:asa

False Positives

Legitimate FTP file transfers to external vendors or partner organizations (common in manufacturing, healthcare, and finance)
SFTP/FTPS connections to cloud-hosted file exchange platforms (e.g., GoAnywhere, MOVEit)
SMB connections through VPN tunnels to remote offices that appear as public IPs before NAT
Automated backup scripts that upload to external FTP servers

Elastic Security (EQL)

eql

network where event.type in ("connection", "start") and
  event.outcome == "success" and
  network.direction in ("outbound", "egress") and
  destination.port in (20, 21, 69, 139, 445, 990) and
  not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128", "169.254.0.0/16", "fe80::/10")

/* Deploy as Elastic Threshold Rule:
   Threshold: count > 3
   Group by: host.name, process.executable, destination.ip, destination.port
   Time window: 24h
   This base EQL filters candidate events; the threshold config enforces the >3 count */

medium severity medium confidence

Data Sources

Elastic Endpoint Security (endpoint.events.network) Packetbeat network flow logs Winlogbeat with Sysmon Event ID 3 (Network Connection) Filebeat with network firewall modules

Required Tables

logs-endpoint.events.network-* logs-system.security-* winlogbeat-* packetbeat-* .ds-logs-*

False Positives

IT administrators or DevOps engineers using FTP/SFTP to deploy content to externally hosted web servers or CDNs — common in organisations without a central deployment pipeline.
Scheduled backup agents (e.g., Veeam, Acronis, rsync over FTP) replicating data to external storage providers will generate high connection counts with large BytesSent values.
Windows domain controllers or file servers with legitimate external SMB traffic to cloud-based file shares (e.g., Azure Files via port 445) will fire when destination IP resolves to a Microsoft public range.
Pentest or red team engagements using FTP/SMB as a deliberate living-off-the-land transfer mechanism during an authorised assessment.

IBM QRadar (AQL)

sql

SELECT
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  destinationip,
  destinationport,
  username,
  CASE
    WHEN destinationport IN (20, 21, 990) THEN 'FTP/FTPS'
    WHEN destinationport IN (445, 139) THEN 'SMB'
    WHEN destinationport = 69 THEN 'TFTP'
    ELSE 'Unknown'
  END AS Protocol,
  COUNT(*) AS ConnectionCount,
  SUM("BytesSent") AS TotalBytesSent,
  SUM("BytesReceived") AS TotalBytesReceived,
  MIN(starttime) AS FirstSeen,
  MAX(starttime) AS LastSeen,
  CASE
    WHEN SUM("BytesSent") > 10485760 THEN 'HIGH'
    WHEN SUM("BytesSent") > 1048576  THEN 'MEDIUM'
    ELSE 'LOW'
  END AS ExfilRisk
FROM events
WHERE
  destinationport IN (20, 21, 69, 139, 445, 990)
  AND eventdirection = 'L2R'
  AND "BytesSent" IS NOT NULL
  AND NOT (
    destinationip INCIDR '10.0.0.0/8'
    OR destinationip INCIDR '172.16.0.0/12'
    OR destinationip INCIDR '192.168.0.0/16'
    OR destinationip INCIDR '127.0.0.0/8'
    OR destinationip INCIDR '169.254.0.0/16'
    OR destinationip INCIDR '100.64.0.0/10'
  )
  AND CATEGORYNAME(category) IN (
    'Access Permitted', 'Connection Accepted',
    'Session Opened', 'Network Connection'
  )
  LAST 24 HOURS
GROUP BY
  sourceip, destinationip, destinationport, username, Protocol
HAVING ConnectionCount > 3
ORDER BY ConnectionCount DESC

medium severity medium confidence

Data Sources

Palo Alto Networks Firewall (LEEF/syslog) Cisco ASA / FTD Fortinet FortiGate Check Point Firewall IBM QRadar Network Insights (QNI) flow data Windows Security Event Log (EventID 5156 — WFAS)

Required Tables

events

False Positives

Automated build or CI/CD pipelines that FTP artefacts to external staging environments — these produce high, consistent BytesSent values on port 21 from a predictable process account.
Windows file servers with DFS replication or legitimate administrative SMB access to Azure Files (port 445 to Microsoft ASN ranges) generating repeated outbound connections.
Endpoint backup clients (e.g., Code42, Carbonite) that use FTP-based transfer protocols and run on a schedule, producing regular high-volume connections from the same source IP.

Sumo Logic CSE

sql

(_sourceCategory=network/firewall OR _sourceCategory=network/paloalto OR _sourceCategory=network/cisco/asa OR _sourceCategory=network/fortinet)
| where dest_port in ("20","21","69","139","445","990")
| where action in ("allow","allowed","permit","accept","built")
| where !isPrivateIP(dest_ip)
| where dest_ip != "0.0.0.0"
| eval Protocol = if(dest_port in ("20","21","990"), "FTP/FTPS",
    if(dest_port in ("445","139"), "SMB",
    if(dest_port == "69", "TFTP", "Unknown")))
| eval BytesSent = toLong(if(isNull(bytes_out), "0", bytes_out))
| eval BytesReceived = toLong(if(isNull(bytes_in), "0", bytes_in))
| stats
    count as ConnectionCount,
    sum(BytesSent) as TotalBytesSent,
    sum(BytesReceived) as TotalBytesReceived,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen,
    values(user) as Users
  by src_ip, dest_ip, dest_port, Protocol, process_name
| where ConnectionCount > 3
| eval ExfilRisk = if(TotalBytesSent > 10485760, "HIGH",
    if(TotalBytesSent > 1048576, "MEDIUM", "LOW"))
| formatDate(toLong(FirstSeen), "yyyy-MM-dd HH:mm:ss") as FirstSeen
| formatDate(toLong(LastSeen),  "yyyy-MM-dd HH:mm:ss") as LastSeen
| fields LastSeen, FirstSeen, src_ip, dest_ip, dest_port, Protocol, process_name, Users, ConnectionCount, TotalBytesSent, TotalBytesReceived, ExfilRisk
| sort by ConnectionCount desc

medium severity medium confidence

Data Sources

Palo Alto Networks (sourceCategory=network/paloalto) Cisco ASA (sourceCategory=network/cisco/asa) Fortinet FortiGate (sourceCategory=network/fortinet) Generic firewall syslog (sourceCategory=network/firewall) Sumo Logic CSE normalised network schema

Required Tables

network/firewall network/paloalto network/cisco/asa network/fortinet

False Positives

Legitimate FTP-based website publishing tools (e.g., FileZilla in automated mode, WinSCP scripted transfers) used by web developers or marketing teams deploying content to external hosting providers.
Enterprise DLP or backup agents that transfer data over FTP/FTPS to vendor-managed cloud storage, generating large sustained BytesSent volumes from a known service account.
Security scanners or asset inventory tools that probe external partner IPs on SMB port 445 as part of scheduled vulnerability assessments, producing bursts of allowed connections.

Google Chronicle / SecOps

yaral

rule t1071_002_file_transfer_protocol_external_connections {
  meta:
    author          = "Detection Engineering"
    description     = "Detects hosts making repeated outbound file transfer protocol connections (FTP/FTPS/SMB/TFTP) to external public IP addresses, indicative of C2 channel establishment or data exfiltration via MITRE ATT&CK T1071.002."
    mitre_attack_tactic     = "Command and Control"
    mitre_attack_technique  = "T1071.002"
    mitre_attack_url        = "https://attack.mitre.org/techniques/T1071/002/"
    severity        = "MEDIUM"
    confidence      = "MEDIUM"
    reference       = "https://attack.mitre.org/techniques/T1071/002/"

  events:
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.network.direction   = "OUTBOUND"
    $net.target.port in (20, 21, 69, 139, 445, 990)

    // Exclude RFC1918 and loopback destinations
    not re.regex($net.target.ip, `^10\.`)
    not re.regex($net.target.ip, `^172\.(1[6-9]|2[0-9]|3[01])\.`)
    not re.regex($net.target.ip, `^192\.168\.`)
    not re.regex($net.target.ip, `^127\.`)
    not re.regex($net.target.ip, `^169\.254\.`)
    not re.regex($net.target.ip, `^::1$`)

    $net.principal.hostname  = $hostname
    $net.principal.process.file.full_path = $process_path
    $net.target.ip           = $dest_ip
    $net.target.port         = $dest_port

  match:
    $hostname, $process_path, $dest_ip, $dest_port over 24h

  outcome:
    $connection_count = count_distinct($net.metadata.id)
    $bytes_sent       = sum($net.network.sent_bytes)
    $bytes_received   = sum($net.network.received_bytes)
    $first_seen       = min($net.metadata.event_timestamp.seconds)
    $last_seen        = max($net.metadata.event_timestamp.seconds)
    $risk_level       = if($bytes_sent > 10485760, "HIGH",
                          if($bytes_sent > 1048576,  "MEDIUM", "LOW"))

  condition:
    #net > 3
}

medium severity medium confidence

Data Sources

Chronicle UDM NETWORK_CONNECTION events Palo Alto Networks (Chronicle ingestion parser) Cisco ASA / FTD Fortinet FortiGate Windows Sysmon Event ID 3 (network connection, via Chronicle Windows parser) CrowdStrike Falcon telemetry forwarded to Chronicle

Required Tables

NETWORK_CONNECTION (UDM event_type)

False Positives

Software update mechanisms or patch management agents that fetch update packages over FTP from vendor-controlled external servers, generating repeated low-byte connections at predictable scheduled intervals.
Penetration testers or red team operators using SMB (port 445) or FTP during an authorised engagement against internal targets that have routable external IPs, or against external infrastructure under test.
Managed file transfer (MFT) solutions such as GoAnywhere or MOVEit that conduct scheduled FTPS transfers to third-party trading partners, producing regular high-volume connections from a dedicated service account.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = NetworkConnectIP4
| RemotePort in (20, 21, 69, 139, 445, 990)

// Drop RFC1918, loopback, and APIPA destinations
| RemoteAddressIP4 != /^10\./
| RemoteAddressIP4 != /^172\.(1[6-9]|2[0-9]|3[01])\./
| RemoteAddressIP4 != /^192\.168\./
| RemoteAddressIP4 != /^127\./
| RemoteAddressIP4 != /^169\.254\./

| TransferProtocol := case {
    RemotePort in (20, 21, 990) => "FTP/FTPS";
    RemotePort in (445, 139)    => "SMB";
    RemotePort = 69             => "TFTP";
    *                           => "Unknown"
  }

// Aggregate per host + process + remote endpoint
| groupBy(
    [ComputerName, ImageFileName, UserName, RemoteAddressIP4, RemotePort, TransferProtocol],
    function=[
      count(as=ConnectionCount),
      sum(BytesSent,     as=TotalBytesSent),
      sum(BytesReceived, as=TotalBytesReceived),
      min(@timestamp,    as=FirstSeen),
      max(@timestamp,    as=LastSeen)
    ]
  )

| ConnectionCount > 3

| ExfilRisk := case {
    TotalBytesSent > 10485760 => "HIGH";
    TotalBytesSent > 1048576  => "MEDIUM";
    *                         => "LOW"
  }

| sort(ConnectionCount, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Sensor — NetworkConnectIP4 events Falcon Insight EDR network telemetry Falcon Network Containment (if enabled)

Required Tables

NetworkConnectIP4

False Positives

Endpoint backup agents (e.g., Veeam Agent, Acronis Cyber Protect) configured to send backups to external FTP/FTPS repositories will generate high ConnectionCount and TotalBytesSent from the backup process executable.
Development workstations running FTP or SMB clients to sync code repositories or assets with externally hosted servers — especially common in remote developer environments connecting to company-owned cloud VMs with public IPs.
Security tooling such as vulnerability scanners or EDR management consoles that establish SMB connections to externally reachable managed endpoints during asset scanning or policy push operations.

File Transfer Protocols

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections