- SIEM Guide:
- Overview
- Get up and running
- SIEM UI
- Anomaly Detection with Machine Learning
- Detections (beta)
- Managing signal detection rules
- Prebuilt rule reference
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Adversary Behavior - Detected - Elastic Endpoint
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- Base16 or Base32 Encoding/Decoding Activity
- Base64 Encoding/Decoding Activity
- Bypass UAC via Event Viewer
- Clearing Windows Event Logs
- Command Prompt Network Connection
- Connection to External Network via Telnet
- Connection to Internal Network via Telnet
- Credential Dumping - Detected - Elastic Endpoint
- Credential Dumping - Prevented - Elastic Endpoint
- Credential Manipulation - Detected - Elastic Endpoint
- Credential Manipulation - Prevented - Elastic Endpoint
- DNS Activity to the Internet
- DNS Tunneling
- Delete Volume USN Journal with Fsutil
- Deleting Backup Catalogs with Wbadmin
- Direct Outbound SMB Connection
- Disable Windows Firewall Rules via Netsh
- Encoding or Decoding Files via CertUtil
- Enumeration of Kernel Modules
- Execution via Regsvcs/Regasm
- Exploit - Detected - Elastic Endpoint
- Exploit - Prevented - Elastic Endpoint
- FTP (File Transfer Protocol) Activity to the Internet
- File Deletion via Shred
- File Permission Modification in Writable Directory
- Hex Encoding/Decoding Activity
- Hping Process Activity
- IPSEC NAT Traversal Port Activity
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- Interactive Terminal Spawned via Perl
- Interactive Terminal Spawned via Python
- Kernel Module Removal
- Local Scheduled Task Commands
- Local Service Commands
- Malware - Detected - Elastic Endpoint
- Malware - Prevented - Elastic Endpoint
- Microsoft Build Engine Loading Windows Credential Libraries
- Microsoft Build Engine Started an Unusual Process
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- Mknod Process Activity
- Modification of Boot Configuration
- MsBuild Making Network Connections
- Net command via SYSTEM account
- Netcat Network Activity
- Network Connection via Certutil
- Network Connection via Compiled HTML File
- Network Connection via MsXsl
- Network Connection via Mshta
- Network Connection via Regsvr
- Network Connection via Signed Binary
- Network Sniffing via Tcpdump
- Nmap Process Activity
- Nping Process Activity
- PPTP (Point to Point Tunneling Protocol) Activity
- Permission Theft - Detected - Elastic Endpoint
- Permission Theft - Prevented - Elastic Endpoint
- Persistence via Kernel Module Modification
- Potential Application Shimming via Sdbinst
- Potential DNS Tunneling via Iodine
- Potential Disabling of SELinux
- Potential Evasion via Filter Manager
- Potential Modification of Accessibility Binaries
- Potential Shell via Web Server
- PowerShell spawning Cmd
- Process Activity via Compiled HTML File
- Process Discovery via Tasklist
- Process Injection - Detected - Elastic Endpoint
- Process Injection - Prevented - Elastic Endpoint
- Process Injection by the Microsoft Build Engine
- Proxy Port Activity to the Internet
- PsExec Network Connection
- RDP (Remote Desktop Protocol) from the Internet
- RDP (Remote Desktop Protocol) to the Internet
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Ransomware - Detected - Elastic Endpoint
- Ransomware - Prevented - Elastic Endpoint
- SMB (Windows File Sharing) Activity to the Internet
- SMTP on Port 26/TCP
- SMTP to the Internet
- SQL Traffic to the Internet
- SSH (Secure Shell) from the Internet
- SSH (Secure Shell) to the Internet
- Setgid Bit Set via chmod
- Setuid Bit Set via chmod
- Socat Process Activity
- Strace Process Activity
- Sudoers File Modification
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious PDF Reader Child Process
- Suspicious Powershell Script
- Svchost spawning Cmd
- System Shells via Services
- TCP Port 8000 Activity to the Internet
- Telnet Port Activity
- Tor Activity to the Internet
- Trusted Developer Application Usage
- Unusual DNS Activity
- Unusual Linux Network Activity
- Unusual Linux Network Port Activity
- Unusual Linux Network Service
- Unusual Linux Username
- Unusual Linux Web Activity
- Unusual Login Activity
- Unusual Network Connection via RunDLL32
- Unusual Network Destination Domain Name
- Unusual Parent-Child Relationship
- Unusual Process Execution - Temp
- Unusual Process For a Linux Host
- Unusual Process For a Windows Host
- Unusual Process Network Connection
- Unusual Web Request
- Unusual Web User Agent
- Unusual Windows Network Activity
- Unusual Windows Path Activity
- Unusual Windows Remote User
- Unusual Windows Service
- Unusual Windows User Privilege Elevation Activity
- Unusual Windows Username
- User Account Creation
- User Discovery via Whoami
- VNC (Virtual Network Computing) from the Internet
- VNC (Virtual Network Computing) to the Internet
- Virtual Machine Fingerprinting
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC
- Web Application Suspicious Activity: No User Agent
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method
- Web Application Suspicious Activity: sqlmap User Agent
- Whoami Process Activity
- Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
- Windows Script Executing PowerShell
- Tuning prebuilt detection rules
- Prebuilt rule changes per release
- Cases (beta)
- SIEM APIs
- Detections API
- Cases API
- Create case
- Add comment
- Update case
- Update comment
- Find cases
- Get case
- Get all case comments
- Get comment
- Get all case activity
- Get tags
- Get reporters
- Get status
- Delete comment
- Delete all comments
- Delete case
- Set default SIEM UI connector
- Update case configurations
- Get current connector
- Find connectors
- Add external details to case
- Actions API (for pushing cases to external systems)
- SIEM field reference guide
The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
FTP (File Transfer Protocol) Activity to the Internet
editFTP (File Transfer Protocol) Activity to the Internet
editDetects events that may indicate the use of FTP network connections to the Internet. The File Transfer Protocol (FTP) has been around in its current form since the 1980s. It can be a common and efficient procedure on your network to send and receive files. Because of this, adversaries will also often use this protocol to exfiltrate data from your network or download new tools. Additionally, FTP is a plain-text protocol which, if intercepted, may expose usernames and passwords. FTP activity involving servers subject to regulations or compliance standards may be unauthorized.
Rule type: query
Rule indices:
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum signals per execution: 100
Tags:
- Elastic
- Network
Version: 3 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Potential false positives
editFTP servers should be excluded from this rule as this is expected behavior. Some business workflows may use FTP for data exchange. These workflows often have expected characteristics such as users, sources, and destinations. FTP activity involving an unusual source or destination may be more suspicious. FTP activity involving a production server that has no known associated FTP workflow or business requirement is often suspicious.
Rule query
editnetwork.transport:tcp and destination.port:(20 or 21) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Commonly Used Port
- ID: T1043
- Reference URL: https://attack.mitre.org/techniques/T1043/
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Technique:
- Name: Exfiltration Over Alternative Protocol
- ID: T1048
- Reference URL: https://attack.mitre.org/techniques/T1048/
Rule version history
edit- Version 3 (7.7.0 release)
-
Updated query, changed from:
network.transport: tcp and destination.port: (20 or 21) and ( network.direction: outbound or ( source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ) )
- Version 2 (7.6.1 release)
-
- Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.
Was this helpful?
Thank you for your feedback.