Detect File Transfer Protocols in Google Chronicle
Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Sub-technique
- T1071.002 File Transfer Protocols
- Canonical reference
- https://attack.mitre.org/techniques/T1071/002/
YARA-L Detection Query
rule t1071_002_file_transfer_protocol_external_connections {
meta:
author = "Detection Engineering"
description = "Detects hosts making repeated outbound file transfer protocol connections (FTP/FTPS/SMB/TFTP) to external public IP addresses, indicative of C2 channel establishment or data exfiltration via MITRE ATT&CK T1071.002."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1071.002"
mitre_attack_url = "https://attack.mitre.org/techniques/T1071/002/"
severity = "MEDIUM"
confidence = "MEDIUM"
reference = "https://attack.mitre.org/techniques/T1071/002/"
events:
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.network.direction = "OUTBOUND"
$net.target.port in (20, 21, 69, 139, 445, 990)
// Exclude RFC1918 and loopback destinations
not re.regex($net.target.ip, `^10\.`)
not re.regex($net.target.ip, `^172\.(1[6-9]|2[0-9]|3[01])\.`)
not re.regex($net.target.ip, `^192\.168\.`)
not re.regex($net.target.ip, `^127\.`)
not re.regex($net.target.ip, `^169\.254\.`)
not re.regex($net.target.ip, `^::1$`)
$net.principal.hostname = $hostname
$net.principal.process.file.full_path = $process_path
$net.target.ip = $dest_ip
$net.target.port = $dest_port
match:
$hostname, $process_path, $dest_ip, $dest_port over 24h
outcome:
$connection_count = count_distinct($net.metadata.id)
$bytes_sent = sum($net.network.sent_bytes)
$bytes_received = sum($net.network.received_bytes)
$first_seen = min($net.metadata.event_timestamp.seconds)
$last_seen = max($net.metadata.event_timestamp.seconds)
$risk_level = if($bytes_sent > 10485760, "HIGH",
if($bytes_sent > 1048576, "MEDIUM", "LOW"))
condition:
#net > 3
}Chronicle YARA-L 2.0 rule matching outbound NETWORK_CONNECTION UDM events on file transfer protocol ports (FTP 20/21, FTPS 990, SMB 445/139, TFTP 69) to non-RFC1918 destinations. Groups detections by hostname, initiating process, destination IP, and destination port over a 24-hour match window, firing when the connection count exceeds 3. Outcome fields capture byte volume and compute an exfiltration risk tier. Compatible with Palo Alto, Cisco, Fortinet, Windows Sysmon, and Endpoint forwarders ingested into Chronicle via SIEM parsers.
Data Sources
Required Tables
False Positives & Tuning
- Software update mechanisms or patch management agents that fetch update packages over FTP from vendor-controlled external servers, generating repeated low-byte connections at predictable scheduled intervals.
- Penetration testers or red team operators using SMB (port 445) or FTP during an authorised engagement against internal targets that have routable external IPs, or against external infrastructure under test.
- Managed file transfer (MFT) solutions such as GoAnywhere or MOVEit that conduct scheduled FTPS transfers to third-party trading partners, producing regular high-volume connections from a dedicated service account.
Other platforms for T1071.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FTP C2 Simulation via Built-in Client
Expected signal: Sysmon Event ID 1: Process creation for ftp.exe with -s: flag pointing to script file. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:21. Sysmon Event ID 11: File creation of ftp_c2.txt in TEMP directory.
- Test 2SMB Named Pipe C2 Simulation
Expected signal: Sysmon Event ID 17: Pipe Created with PipeName=\\msagent_f1. Sysmon Event ID 1: PowerShell process creation with named pipe creation in command line. The pipe name 'msagent_f1' is a known Cobalt Strike default pipe name pattern.
- Test 3FTP Data Exfiltration via curl
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:21. Process creation event for curl with -T (upload) flag and ftp:// URL. File creation event for the test file.
References (6)
- https://attack.mitre.org/techniques/T1071/002/
- https://www.us-cert.gov/ncas/alerts/TA18-074A
- https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.002/T1071.002.md
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
- https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation
Unlock Pro Content
Get the full detection package for T1071.002 including response playbook, investigation guide, and atomic red team tests.