← Back to Explore
sigmamediumHunting
Renamed FTP.EXE Execution
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
Detection Query
selection_original:
OriginalFileName: ftp.exe
filter_img:
Image|endswith: \ftp.exe
condition: selection_original and not filter_img
Author
Victor Sergeev, oscd.community
Created
2020-10-09
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.executionattack.t1059attack.defense-evasionattack.t1202
Raw Content
title: Renamed FTP.EXE Execution
id: 277a4393-446c-449a-b0ed-7fdc7795244c
status: test
description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-02-03
tags:
- attack.execution
- attack.t1059
- attack.defense-evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_original:
OriginalFileName: 'ftp.exe'
filter_img:
Image|endswith: '\ftp.exe'
condition: selection_original and not filter_img
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml