T1071.002: File Transfer Protocols
Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
vulnerabilities: PT-CR-2948: Subrule_CVE_2025_24071_NTLM_Hash_Leak: An archiver process or Windows Explorer created a file with the .library-ms extension vulnerabilities: PT-CR-2949: CVE_2025_24071_NTLM_Hash_Leak: Possible exploitation of the CVE-2025-24071 vulnerability in Windows Explorer. A file with the .library-ms extension was extracted from an archive, which can result in the user's password hash being transferred to the attacker's server. mitre_attck_command_and_control: PT-CR-2780: Subrule_DoublePulsar_Process_Access: A process accessed its child process after it was started mitre_attck_command_and_control: PT-CR-2781: DoublePulsar_Activity: Anonymous access to the IPC$ named pipe and loading of libraries specific to the DoublePulsar backdoor. Specific "knock" requests are sent to the backdoor in the form of access to the IPC$ resource. mitre_attck_command_and_control: PT-CR-2782: Subrule_DoublePulsar_IPC_Access: Remote connection to the IPC$ named pipe using an anonymous account and connection to the attacker's computer. This may indicate DoublePulsar backdoor activity. mitre_attck_command_and_control: PT-CR-2947: Subrule_External_SMB_Connect: A process connected to an external host via SMB it_bastion: PT-CR-2180: SKDPUNT_Unusual_Amount_Of_File_Transfered: SKDPU NT detected a large number of transferred files in a user session
Detection
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
|---|
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
|---|
Mitigation
| ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. |
|---|