Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Протоколы передачи файлов
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Протоколы передачи файлов
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Application Layer Protocol:  Протоколы передачи файлов

ID Название
.001 Веб-протоколы
.002 Протоколы передачи файлов
.003 Протоколы эл. почты
.004 DNS
.005 Publish/Subscribe Protocols

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

ID: T1071.002
Относится к технике:  T1071
Тактика(-и): Command and Control
Платформы: ESXi, Linux, macOS, Network Devices, Windows
Источники данных: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Версия: 1.3
Дата создания: 15 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
PoetRAT

PoetRAT has used FTP for C2 communications.(Citation: Talos PoetRAT October 2020)
Honeybee

Honeybee uses FTP for command and control.(Citation: McAfee Honeybee)
APT41

APT41 used exploit payloads that initiate download via ftp.(Citation: FireEye APT41 March 2020)
Mythic

Mythic supports SMB-based peer-to-peer C2 profiles.(Citation: Mythc Documentation)

CARROTBALL

CARROTBALL has the ability to use FTP in C2 communications.(Citation: Unit 42 CARROTBAT January 2020)
Regin

The Regin malware platform supports many standard protocols, including SMB.(Citation: Kaspersky Regin)
Machete

Machete uses FTP for Command & Control.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)
XAgentOSX

XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.(Citation: XAgentOSX 2017)
JPIN

JPIN can communicate over FTP.(Citation: Microsoft PLATINUM April 2016)
Kazuar

Kazuar uses FTP and FTPS to communicate with the C2 server.(Citation: Unit 42 Kazuar May 2017)
Attor

Attor has used FTP protocol for C2 communication.(Citation: ESET Attor Oct 2019)
SharpDisco

SharpDisco has the ability to transfer data between SMB shares.(Citation: MoustachedBouncer ESET August 2023)

During Operation Honeybee, the threat actors had the ability to use FTP for C2.(Citation: McAfee Honeybee)
ZxShell

ZxShell has used FTP for C2 connections.(Citation: Talos ZxShell Oct 2014)

ShadowPad

ShadowPad has used FTP for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017)
Dragonfly

Dragonfly has used SMB for C2.(Citation: US-CERT TA18-074A)
SYSCON

SYSCON has the ability to use FTP in C2 communications.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)
Machete

Machete malware used FTP for C2.(Citation: Cylance Machete Mar 2017)
SilverTerrier

SilverTerrier uses FTP for C2 communications.(Citation: Unit42 SilverTerrier 2018)

BADHATCH

BADHATCH can emulate an FTP server to connect to actor-controlled C2 servers.(Citation: BitDefender BADHATCH Mar 2021)
Cobalt Strike

Cobalt Strike can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)
Disco

Disco can use SMB to transfer files.(Citation: MoustachedBouncer ESET August 2023)
Kimsuky

Kimsuky has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky October 2019)
NOKKI

NOKKI has used FTP for C2 communications.(Citation: Unit 42 NOKKI Sept 2018)

Контрмеры
Контрмера Описание
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Обнаружение

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.(Citation: University of Birmingham C2)

Ссылки

  1. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  2. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  3. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  4. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  5. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  6. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  7. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  8. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  9. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  10. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  11. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  12. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  13. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  14. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  15. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  16. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  17. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  18. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  19. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  20. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  21. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  22. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  23. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  24. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  25. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.