Adversaries may use a light FTP server to establish a low-profile command and control channel or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 infrastructure and mitigate advanced persistent threat activities.
YARA Rule
rule LightFTP_fftp_x86_64 {
meta:
description = "Detects a light FTP server"
author = "Florian Roth"
reference = "https://github.com/hfiref0x/LightFTP"
date = "2015-05-14"
hash1 = "989525f85abef05581ccab673e81df3f5d50be36"
hash2 = "5884aeca33429830b39eba6d3ddb00680037faf4"
score = 50
strings:
$s1 = "fftp.cfg" fullword wide
$s2 = "220 LightFTP server v1.0 ready" fullword ascii
$s3 = "*FTP thread exit*" fullword wide
$s4 = "PASS->logon successful" fullword ascii
$s5 = "250 Requested file action okay, completed." fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and 4 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled backup using lftp to transfer files to a remote server.
Filter/Exclusion: Check for the presence of lftp in the process name and exclude traffic associated with known backup schedules or specific backup directories.
Scenario: A developer is using vsftpd to manually transfer configuration files to a test environment.
Filter/Exclusion: Exclude connections to internal IP ranges or specific test servers, and filter out traffic initiated from development workstations.
Scenario: A cron job is running a script that uses ncftpput to upload log files to a central logging server.
Filter/Exclusion: Exclude traffic from known cron job directories (e.g., /etc/cron.d/) and filter by specific log file paths or destination servers.
Scenario: An IT team is using FileZilla Server to manage file transfers between internal systems during a maintenance window.
Filter/Exclusion: Exclude connections from internal IP ranges and filter by known internal file transfer protocols or specific user credentials.
Scenario: A DevOps engineer is using ftp (command-line) to push code artifacts to a staging server as part of a CI/CD pipeline.
Filter/Exclusion: Exclude traffic from CI/CD agent IPs, filter by specific user accounts used in automation, and check for known CI/CD tooling in the process tree.