Description
Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Platforms
Mitigations (2)
Filter Network TrafficM1037
Filter outbound FTP/SFTP traffic from sensitive systems, allowing file transfers only to trusted internal or known IP addresses. This measure can prevent attackers from transferring data or payloads via FTP/SFTP channels to or from unauthorized external systems.
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used exploit payloads that initiate download via [ftp](https://attack.mitre.org/software/S0095).(Citati... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used SMB for C2.(Citation: US-CERT TA18-074A) |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used the the PuTTY suite Secure Copy Protocol (SCP) client for file transfer.(Citation: ESET M... |
| G0083 | SilverTerrier | [SilverTerrier](https://attack.mitre.org/groups/G0083) uses FTP for C2 communications.(Citation: Unit42 SilverTerrier 2018) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky Oc... |
Associated Software (20)
| ID | Name | Type | Context |
|---|---|---|---|
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has used FTP for C2 communications.(Citation: Talos PoetRAT October 2020) |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can use WinSCP for the secure file transfer of the Linux ransomware binary to a targeted system.(Cita... |
| S0699 | Mythic | Tool | [Mythic](https://attack.mitre.org/software/S0699) supports SMB-based peer-to-peer C2 profiles.(Citation: Mythc Documentation) |
| S0465 | CARROTBALL | Tool | [CARROTBALL](https://attack.mitre.org/software/S0465) has the ability to use FTP in C2 communications.(Citation: Unit 42 CARROTBAT January 2020) |
| S0019 | Regin | Malware | The [Regin](https://attack.mitre.org/software/S0019) malware platform supports many standard protocols, including SMB.(Citation: Kaspersky Regin) |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has used `curl` for data exfiltration over FTP.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN ... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) uses FTP for Command & Control.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 201... |
| S0161 | XAgentOSX | Malware | [XAgentOSX](https://attack.mitre.org/software/S0161) contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the ... |
| S0201 | JPIN | Malware | [JPIN](https://attack.mitre.org/software/S0201) can communicate over FTP.(Citation: Microsoft PLATINUM April 2016) |
| S0265 | Kazuar | Malware | [Kazuar](https://attack.mitre.org/software/S0265) uses FTP and FTPS to communicate with the C2 server.(Citation: Unit 42 Kazuar May 2017) |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) has used FTP protocol for C2 communication.(Citation: ESET Attor Oct 2019) |
| S1089 | SharpDisco | Malware | [SharpDisco](https://attack.mitre.org/software/S1089) has the ability to transfer data between SMB shares.(Citation: MoustachedBouncer ESET August 202... |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) has used FTP for C2 connections.(Citation: Talos ZxShell Oct 2014) |
| S0596 | ShadowPad | Malware | [ShadowPad](https://attack.mitre.org/software/S0596) has used FTP for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017) |
| S0464 | SYSCON | Malware | [SYSCON](https://attack.mitre.org/software/S0464) has the ability to use FTP in C2 communications.(Citation: Unit 42 CARROTBAT November 2018)(Citation... |
| S1229 | Havoc | Malware | [Havoc](https://attack.mitre.org/software/S1229) can use an SMB listener for C2 communication.(Citation: Havoc Framework Documentation)(Citation: Zsca... |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can emulate an FTP server to connect to actor-controlled C2 servers.(Citation: BitDefender BADHATC... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB proto... |
| S1088 | Disco | Malware | [Disco](https://attack.mitre.org/software/S1088) can use SMB to transfer files.(Citation: MoustachedBouncer ESET August 2023) |
| S0353 | NOKKI | Malware | [NOKKI](https://attack.mitre.org/software/S0353) has used FTP for C2 communications.(Citation: Unit 42 NOKKI Sept 2018) |
Related CWE Weaknesses
References
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
Frequently Asked Questions
What is T1071.002 (File Transfer Protocols)?
T1071.002 is a MITRE ATT&CK technique named 'File Transfer Protocols'. It belongs to the Command and Control tactic(s). Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote syste...
How can T1071.002 be detected?
Detection of T1071.002 (File Transfer Protocols) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1071.002?
There are 2 documented mitigations for T1071.002. Key mitigations include: Filter Network Traffic, Network Intrusion Prevention.
Which threat groups use T1071.002?
Known threat groups using T1071.002 include: APT41, Dragonfly, MirrorFace, SilverTerrier, Kimsuky.