T1071.002 IBM QRadar · QRadar

Detect File Transfer Protocols in IBM QRadar

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1071 Application Layer Protocol
Sub-technique
T1071.002 File Transfer Protocols
Canonical reference
https://attack.mitre.org/techniques/T1071/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  destinationip,
  destinationport,
  username,
  CASE
    WHEN destinationport IN (20, 21, 990) THEN 'FTP/FTPS'
    WHEN destinationport IN (445, 139) THEN 'SMB'
    WHEN destinationport = 69 THEN 'TFTP'
    ELSE 'Unknown'
  END AS Protocol,
  COUNT(*) AS ConnectionCount,
  SUM("BytesSent") AS TotalBytesSent,
  SUM("BytesReceived") AS TotalBytesReceived,
  MIN(starttime) AS FirstSeen,
  MAX(starttime) AS LastSeen,
  CASE
    WHEN SUM("BytesSent") > 10485760 THEN 'HIGH'
    WHEN SUM("BytesSent") > 1048576  THEN 'MEDIUM'
    ELSE 'LOW'
  END AS ExfilRisk
FROM events
WHERE
  destinationport IN (20, 21, 69, 139, 445, 990)
  AND eventdirection = 'L2R'
  AND "BytesSent" IS NOT NULL
  AND NOT (
    destinationip INCIDR '10.0.0.0/8'
    OR destinationip INCIDR '172.16.0.0/12'
    OR destinationip INCIDR '192.168.0.0/16'
    OR destinationip INCIDR '127.0.0.0/8'
    OR destinationip INCIDR '169.254.0.0/16'
    OR destinationip INCIDR '100.64.0.0/10'
  )
  AND CATEGORYNAME(category) IN (
    'Access Permitted', 'Connection Accepted',
    'Session Opened', 'Network Connection'
  )
  LAST 24 HOURS
GROUP BY
  sourceip, destinationip, destinationport, username, Protocol
HAVING ConnectionCount > 3
ORDER BY ConnectionCount DESC
medium severity medium confidence

QRadar AQL query targeting the events store to identify hosts making more than 3 successful outbound connections on file transfer protocol ports (FTP 20/21, FTPS 990, SMB 445/139, TFTP 69) to non-RFC1918 addresses within a 24-hour window. Groups by source, destination, port, and username; computes total bytes sent to surface high-volume exfiltration risk. Requires network firewall or IDS log sources feeding QRadar with flow or session data including byte counters.

Data Sources

Palo Alto Networks Firewall (LEEF/syslog)Cisco ASA / FTDFortinet FortiGateCheck Point FirewallIBM QRadar Network Insights (QNI) flow dataWindows Security Event Log (EventID 5156 — WFAS)

Required Tables

events

False Positives & Tuning

  • Automated build or CI/CD pipelines that FTP artefacts to external staging environments — these produce high, consistent BytesSent values on port 21 from a predictable process account.
  • Windows file servers with DFS replication or legitimate administrative SMB access to Azure Files (port 445 to Microsoft ASN ranges) generating repeated outbound connections.
  • Endpoint backup clients (e.g., Code42, Carbonite) that use FTP-based transfer protocols and run on a schedule, producing regular high-volume connections from the same source IP.
Download portable Sigma rule (.yml)

Other platforms for T1071.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FTP C2 Simulation via Built-in Client

    Expected signal: Sysmon Event ID 1: Process creation for ftp.exe with -s: flag pointing to script file. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:21. Sysmon Event ID 11: File creation of ftp_c2.txt in TEMP directory.

  2. Test 2SMB Named Pipe C2 Simulation

    Expected signal: Sysmon Event ID 17: Pipe Created with PipeName=\\msagent_f1. Sysmon Event ID 1: PowerShell process creation with named pipe creation in command line. The pipe name 'msagent_f1' is a known Cobalt Strike default pipe name pattern.

  3. Test 3FTP Data Exfiltration via curl

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:21. Process creation event for curl with -T (upload) flag and ftp:// URL. File creation event for the test file.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1071.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.001Web ProtocolsT1071.003Mail ProtocolsT1071.004DNST1071.005Publish/Subscribe Protocols

Related Techniques

T1071Application Layer ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1021.002SMB/Windows Admin SharesT1570Lateral Tool TransferT1105Ingress Tool TransferT1572Protocol TunnelingT1573Encrypted Channel

Same Tactic: Command and Control

Popular Detections