File Transfer Protocols

Information

• Name: File Transfer Protocols

• ID: T1071.002

• Tactics: TA0011

• Technique: T1071

Introduction

File Transfer Protocols (T1071.002) is a sub-technique within the MITRE ATT&CK framework under the Command and Control (C2) tactic. It involves adversaries leveraging standard file transfer protocols like FTP, FTPS, SFTP, SCP, WebDAV, and others, to establish communication channels, transfer malicious payloads, exfiltrate data, or maintain persistence. Because these protocols are commonly used for legitimate purposes, adversaries exploit their benign appearance to blend malicious traffic with normal network activities, making detection challenging.

Deep Dive Into Technique

Adversaries utilize various file transfer protocols to perform malicious activities discreetly. Common protocols exploited include:

• FTP (File Transfer Protocol):

  • Typically operates on TCP ports 20 and 21.

  • Plaintext transfer, making it simple but insecure.

  • Attackers may use FTP to upload malware or exfiltrate sensitive data.

• FTPS (FTP Secure):

  • FTP with SSL/TLS encryption, typically TCP ports 989/990.

  • Offers encrypted channels, complicating detection due to encrypted payloads.

• SFTP (SSH File Transfer Protocol):

  • Operates over SSH (TCP port 22).

  • Provides secure, encrypted file transfer.

  • Attackers leverage existing SSH infrastructure to evade suspicion.

• SCP (Secure Copy Protocol):

  • Uses SSH (TCP port 22) to securely copy files.

  • Commonly used in Linux/Unix environments.

• WebDAV (Web Distributed Authoring and Versioning):

  • Extension of HTTP/HTTPS protocols (TCP ports 80/443).

  • Allows file management on remote web servers.

  • Attackers exploit WebDAV to upload malicious web shells or exfiltrate data.

Execution methods and mechanisms include:

• Embedding malicious payloads within legitimate file transfers.

• Automating data exfiltration through scheduled transfers.

• Utilizing compromised legitimate servers as relay points, reducing suspicion.

• Leveraging credentials stolen via phishing or credential dumping to authenticate against legitimate file transfer services.

• Using scripts or automated tools to manage persistent communication channels.

Real-world procedures often involve:

• Establishing persistent backdoors by regularly uploading malicious tools.

• Exfiltrating sensitive data through scheduled file transfers disguised as legitimate backup or synchronization tasks.

• Using compromised FTP or WebDAV servers as staging points for lateral movement or malware distribution.

When this Technique is Usually Used

This sub-technique can be employed across various stages of an attack lifecycle, including:

• Initial Access:

  • Uploading malicious payloads onto publicly accessible FTP/WebDAV servers to infect victims.

• Execution and Persistence:

  • Regularly transferring and updating malicious scripts or binaries to maintain footholds.

• Lateral Movement:

  • Using compromised credentials to transfer malware or scripts internally across victim infrastructure.

• Command and Control (C2):

  • Establishing reliable communication channels to control infected hosts remotely via file transfers.

• Data Exfiltration:

  • Transferring sensitive data out of victim networks through seemingly legitimate file transfers.

Common scenarios include:

• APT groups targeting enterprise environments to exfiltrate intellectual property.

• Cybercriminals deploying ransomware payloads through compromised FTP servers.

• Attackers leveraging cloud-based file transfer services for stealthy data exfiltration.

How this Technique is Usually Detected

Effective detection involves a combination of network monitoring, log analysis, and endpoint detection methods, including:

• Network Traffic Analysis:

  • Monitor unusual volume or frequency of FTP, FTPS, SFTP, SCP, or WebDAV traffic.

  • Detect anomalous file transfer activities, especially outside normal business hours or bandwidth usage patterns.

• Protocol Inspection:

  • Deep packet inspection (DPI) to identify suspicious payloads within FTP and WebDAV communications.

  • TLS inspection to detect malicious encrypted transfers through FTPS or SFTP.

• Endpoint Detection and Response (EDR):

  • Monitoring processes initiating unusual file transfer connections.

  • Identifying scripts or binaries performing automated file transfers.

• Log Analysis and SIEM:

  • Analyzing logs from FTP, SSH, WebDAV servers for abnormal authentication attempts, unusual file uploads/downloads, or unauthorized access attempts.

  • Correlating user authentication events with file transfer activities to identify compromised accounts.

Indicators of Compromise (IoCs) include:

• Unusual outbound connections to unknown FTP, SFTP, SCP, or WebDAV servers.

• High-volume or frequent file transfers from internal systems to external IP addresses or cloud storage services.

• Presence of unknown scripts or binaries initiating automated file transfers.

• Abnormal login attempts or authentication anomalies on file transfer services.

Why it is Important to Detect This Technique

Early detection of malicious file transfer activities is critical due to potential severe impacts, including:

• Data Exfiltration:

  • Unauthorized extraction of sensitive or proprietary data, resulting in financial loss, regulatory penalties, and reputational damage.

• Malware Distribution:

  • Deployment of malware payloads, ransomware incidents, or persistent backdoors.

• Persistence:

  • Adversaries maintaining long-term access, complicating remediation efforts.

• Lateral Movement:

  • Attackers spreading malware internally, escalating privileges, and compromising additional systems.

• Stealth and Evasion:

  • Difficulty in detection due to the legitimate nature of file transfer protocols, potentially allowing attackers prolonged access and increased damage.

Detecting malicious use of file transfer protocols early significantly reduces the attacker's dwell time, mitigates potential damage, and enables rapid incident response and remediation.

Examples

Real-world examples of adversaries leveraging file transfer protocols include:

• FIN7 (Carbanak Group):

  • Utilized FTP servers for exfiltrating stolen payment card data from compromised retail and hospitality networks.

  • Tools used: Customized scripts, PowerShell, and FTP clients.

  • Impact: Massive financial losses, compromised customer data, and regulatory penalties.

• APT29 (Cozy Bear):

  • Leveraged WebDAV services to deliver malicious payloads and establish persistent communication channels.

  • Tools used: Web shells, customized malware, legitimate WebDAV clients.

  • Impact: Espionage operations, theft of sensitive government and corporate information.

• APT28 (Fancy Bear):

  • Used SFTP and SCP protocols for secure transfer of malicious binaries and exfiltration of sensitive information.

  • Tools used: Custom malware, scripts leveraging SSH-based file transfers.

  • Impact: High-profile espionage campaigns targeting government, military, and diplomatic entities.

• Maze Ransomware Group:

  • Employed FTP and WebDAV protocols to exfiltrate victim data before encrypting systems.

  • Tools used: Standard FTP clients, automated scripts for data extraction.

  • Impact: Data breaches, financial extortion, substantial disruption to business operations.

These examples illustrate the widespread adoption and significant potential damage associated with malicious use of file transfer protocols, underscoring the importance of proactive detection and mitigation strategies.