Detects a light FTP server - config file

Hunt Hypothesis

The LightFTP_Config rule detects potential unauthorized FTP server configurations that could be used to establish a foothold in a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate the risk of malicious or compromised FTP services being deployed.

YARA Rule

rule LightFTP_Config {
	meta:
		description = "Detects a light FTP server - config file"
		author = "Florian Roth"
		reference = "https://github.com/hfiref0x/LightFTP"
		date = "2015-05-14"
		hash = "ce9821213538d39775af4a48550eefa3908323c5"
	strings:
		$s2 = "maxusers=" wide
		$s6 = "[ftpconfig]" fullword wide
		$s8 = "accs=readonly" fullword wide
		$s9 = "[anonymous]" fullword wide
		$s10 = "accs=" fullword wide
		$s11 = "pswd=" fullword wide
	condition:
		uint16(0) == 0xfeff and filesize < 1KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://github.com/hfiref0x/LightFTP
• Source Rule

False Positive Guidance

• Scenario: Legitimate FTP server configuration file
  Description: A system administrator is configuring a legitimate LightFTP server for internal file sharing.
  Filter/Exclusion: Check the file path against known server configuration directories (e.g., /etc/lightftp/, /opt/lightftp/config/) and verify the file is owned by the root or lightftp user.

• Scenario: Scheduled job to generate FTP config for backup
  Description: A scheduled job runs a script that generates a LightFTP configuration file as part of a backup or deployment process.
  Filter/Exclusion: Exclude files created by known backup tools (e.g., rsync, backuppc) or scripts with known job names (e.g., daily_backup.sh).

• Scenario: Admin task to update FTP server settings
  Description: An admin is manually updating the LightFTP configuration using a text editor or configuration management tool (e.g., Ansible, Puppet).
  Filter/Exclusion: Exclude files modified by known admin tools or users (e.g., root, admin, sudo), or filter by process name (e.g., nano, vim, ansible).

• Scenario: Testing LightFTP configuration locally
  Description: A developer is testing the LightFTP server on a local machine and has created a config file for testing purposes.
  Filter/Exclusion: Exclude files located in user home directories (e.g., ~/.lightftp/config) or files created by known development tools (e.g., vim, nano, code).

• Scenario: Configuration file for a related service (e.g., FTPS)
  Description: The file is part of a related service (e.g., FTPS) and contains configuration for secure FTP, not LightFTP.
  Filter/Exclusion: Exclude