Communications over FTP

Hunt Hypothesis

Adversaries may use FTP to establish covert communication channels to exfiltrate data or command and control infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that may bypass traditional network defenses.

YARA Rule

rule network_ftp {
    meta:
        author = "x0r"
        description = "Communications over FTP"
	version = "0.1"
    strings:
	   $f1 = "Wininet.dll" nocase
        $c1 = "FtpGetCurrentDirectory"
        $c2 = "FtpGetFile"
        $c3 = "FtpPutFile"
        $c4 = "FtpSetCurrentDirectory"
        $c5 = "FtpOpenFile"
        $c6 = "FtpGetFileSize"
        $c7 = "FtpDeleteFile"
        $c8 = "FtpCreateDirectory"
        $c9 = "FtpRemoveDirectory"
        $c10 = "FtpRenameFile"
        $c11 = "FtpDownload"
        $c12 = "FtpUpload"
        $c13 = "FtpGetDirectory"
    condition:
        $f1 and (4 of ($c*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 14 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System backup using WinSCP or FileZilla for scheduled backups
  Filter/Exclusion: Exclude traffic from known backup tools or IP addresses used for scheduled backups.
  Example Filter: process.name != "WinSCP.exe" or process.name != "FileZilla.exe"

• Scenario: Admin performing file transfers via FTP for software updates using FileZilla
  Filter/Exclusion: Exclude traffic from admin accounts or specific user groups responsible for software updates.
  Example Filter: user.name != "admin" or user.name != "update_admin"

• Scenario: Automated job using cron or Task Scheduler to transfer logs via vsftpd
  Filter/Exclusion: Exclude traffic initiated by scheduled tasks or specific service accounts.
  Example Filter: process.name != "cron" or process.name != "task scheduler" or service.name != "vsftpd"

• Scenario: Internal file sharing between servers using FTP for data synchronization
  Filter/Exclusion: Exclude internal IP ranges or traffic between known internal servers.
  Example Filter: source.ip in [192.168.0.0/16] or destination.ip in [192.16.0.0/16]

• Scenario: User manually transferring files via FTP for collaboration purposes using FileZilla
  Filter/Exclusion: Exclude traffic from users in collaboration teams or specific user groups.
  Example Filter: user.group != "collaboration_team" or user.group != "project_team"