Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0416: Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)

This detection strategy is about recognizing command-and-control traffic that hides inside file transfer protocols such as FTP, FTPS, SMB, and TFTP. The bu...

EnterpriseDET0416Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about recognizing command-and-control traffic that hides inside file transfer protocols such as FTP, FTPS, SMB, and TFTP. The business issue is that these protocols may be normal in many environments, so blocking or alerting on the protocol alone is rarely enough. Leaders should treat this as a coverage question: do we know where these protocols are allowed, who uses them, and whether the SOC can distinguish expected file movement from potential remote control activity?

Executive priority

Prioritize this where file transfer protocols are operationally important or exposed across Linux, macOS, ESXi, or network device environments referenced by the related ATT&CK technique. The decision value is in reducing command-and-control blind spots without disrupting legitimate file transfer workflows. Executives should ask for evidence of protocol inventory, logging coverage, exception governance, and incident playbooks for suspicious file-transfer-based C2.

Technical view

The ATT&CK relationship states that DET0416 detects T1071.002, File Transfer Protocols, under command-and-control. Because the supplied detection strategy has no official description or detection logic, SOC and detection teams should validate controls around the related behavior: adversary C2 communications embedded in FTP, FTPS, SMB, or TFTP traffic that may blend with legitimate file transfer activity. Focus on baselining expected protocol use, identifying unusual client/server pairs, unexpected destinations, abnormal session timing or volume, and file-transfer protocol use from systems or network segments where it is not expected.

Likely telemetry

  • Network flow records for FTP, FTPS, SMB, and TFTP traffic
  • Firewall, proxy, and network security device logs showing allowed and denied file transfer sessions
  • SMB, FTP, FTPS, and TFTP service logs where available
  • Endpoint network connection telemetry from systems using the related technique platforms, including Linux, macOS, ESXi, and network devices where supported
  • Asset inventory and network segmentation data to determine where these protocols should be expected

Detection direction

  • Validate that telemetry exists for the protocols named in the detection strategy: FTP, FTPS, SMB, and TFTP.
  • Tune detections against known-good file transfer workflows to reduce noise from common administrative or business activity.
  • Look for protocol use that violates expected asset role, network zone, destination, timing, or volume patterns rather than relying only on protocol presence.
  • Account for encrypted FTPS blind spots: content inspection may be limited, so metadata, endpoint context, and destination reputation or allowlisting become more important.
  • Use the relationship to T1071.002 to align alerts with command-and-control triage, not just generic file transfer monitoring.

Mitigation priorities

  • Inventory legitimate FTP, FTPS, SMB, and TFTP use and assign owners for approved workflows.
  • Restrict these protocols to required systems, network segments, and destinations using standard network control and access governance.
  • Retire or reduce unnecessary file transfer services where business need is not documented.
  • Require logging on approved file transfer services and centralize records for SOC review.
  • Maintain exception evidence for audit and incident response, including why a protocol is allowed and what monitoring covers it.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, no official detection text, and no tactics or platforms directly specified. The practical guidance therefore comes from the explicit relationship to T1071.002, File Transfer Protocols, which is a command-and-control technique involving FTP, FTPS, SMB, and TFTP and lists ESXi, Linux, macOS, and Network Devices as related platforms.

This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection. Local protocol usage, asset roles, segmentation, encryption visibility, and logging quality must be validated before determining coverage or risk.

Official MITRE ATT&CK definition

Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1071.002 File Transfer Protocols Sub-technique This object detects File Transfer Protocols.
Relationship explorer

All related ATT&CK context

detects · Technique T1071.002: File Transfer Protocols Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
471892acf0c57109...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 471892acf0c5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0416
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use