sigmamediumHunting

FTP Connection Open Attempt Via Winscp CLI

Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.

MITRE ATT&CK

T1048

exfiltration

Detection Query

selection_img:
  - Image|endswith: \WinSCP.exe
  - OriginalFileName: winscp.exe
selection_cmd:
  CommandLine|contains|windash: -command
  CommandLine|contains|all:
    - "open "
    - ftp://
condition: all of selection_*

Author

frack113

Created

2025-10-12

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry

Tags

attack.exfiltrationattack.t1048detection.threat-hunting

Raw Content

title: FTP Connection Open Attempt Via Winscp CLI
id: c1477deb-37cf-4439-9ffb-44499acb89d0
status: experimental
description: Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
references:
    - https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
author: frack113
date: 2025-10-12
tags:
    - attack.exfiltration
    - attack.t1048
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WinSCP.exe'
        - OriginalFileName: 'winscp.exe'
    selection_cmd:
        CommandLine|contains|windash: '-command'
        CommandLine|contains|all:
            - 'open '
            - 'ftp://' # cover ftp and sftp
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium