S0095: ftp
Analyst context for executives and security teams
ftp is a legitimate operating-system utility that can move files using the File Transfer Protocol. Its business significance is that an attacker does not need custom malware to bring tools into an environment, move files between systems, or send data out; they may be able to use a common built-in or readily available utility that blends with administrative activity.
Executive priority
Treat ftp use as a control-validation issue, not just a tool inventory item. Leaders should ask whether FTP is actually required in the business, where it is permitted, and whether the organization can prove when it is used for external transfer, internal staging, or data movement. Because ATT&CK links this tool to ingress tool transfer, lateral tool transfer, and exfiltration over an unencrypted non-C2 protocol, coverage depends on network egress governance, endpoint process visibility, and incident response access to file-transfer evidence.
Technical view
For SOC, detection engineering, and IR teams, validate visibility for ftp execution and FTP network sessions on Linux, Windows, and macOS. ATT&CK provides no official detection text for this software, so detections should be environment-driven: identify expected administrative FTP usage, then alert on unusual parent processes, destinations, transfer volumes, interactive sessions from servers or user workstations that do not normally use FTP, and FTP activity associated with newly created or suspicious files. Relationship context supports reviewing ftp activity in investigations involving T1105 Ingress Tool Transfer, T1570 Lateral Tool Transfer, and T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol.
Likely telemetry
- Endpoint process creation telemetry showing ftp command execution, parent process, user, host, command-line arguments where collected, and execution time
- Network connection logs for FTP control and data channels, including source, destination, port, protocol, byte counts, and session timing
- Proxy, firewall, IDS/IPS, or network security monitoring records for outbound and internal FTP traffic
- DNS logs for FTP destinations where hostnames are used
- File creation, modification, and staging evidence around the time of FTP activity
Detection direction
- Baseline legitimate FTP use by platform, business unit, server role, and administrative workflow before treating all ftp activity as malicious.
- Prioritize alerts for FTP from systems that should not transfer files externally, from sensitive servers, or from accounts without an administrative need.
- Correlate ftp process execution with outbound FTP network sessions and nearby file creation or archive activity to reduce false positives.
- Look for internal FTP-based movement between hosts as potential support for lateral tool transfer, not only internet egress.
- Because FTP is unencrypted, network metadata and in some environments payload inspection may be useful, but visibility depends on local monitoring architecture and legal/privacy constraints.
Mitigation priorities
- Determine whether FTP is required; remove or disable unnecessary FTP clients or workflows where feasible.
- Restrict outbound and internal FTP traffic to approved systems and destinations using network controls.
- Prefer managed, authenticated, and encrypted file-transfer mechanisms for legitimate business needs instead of unencrypted FTP.
- Apply least privilege so ordinary users and service accounts cannot freely stage or transfer tools and data from sensitive systems.
- Ensure IR playbooks preserve endpoint process logs, network flow records, and file-system evidence needed to reconstruct FTP-based transfer activity.
Analyst notes and limits
ATT&CK identifies ftp as a common utility available with operating systems and links it to campaigns and groups that have used it, including HomeLand Justice, Quad7 Activity, Naikon, OilRig, APT33, APT39, and APT41. These relationships justify defensive attention, but local risk depends on whether FTP is present, permitted, and monitored in the specific environment.
The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or tool-specific tactics. Related campaign and group descriptions are contextual and should not be interpreted as evidence of current activity against any organization. Validation requires local telemetry, asset role context, and an approved-use baseline.
ftp
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1570 | Lateral Tool Transfer | ftp may be abused by adversaries to transfer tools or files between systems within a compromised environment.CitationMicrosoft FTPCitationLinux FTP |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | ftp may be used to exfiltrate data separate from the main command and control protocol.CitationMicrosoft FTPCitationLinux FTP |
| Enterprise | T1105 | Ingress Tool Transfer | ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.CitationMicrosoft FTPCitationLinux FTP |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
G0087: APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0064: APT33
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
C0055: Quad7 Activity
Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. [1] [2] The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner xlogin. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying alogin. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. [1][3] Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. [2]
C0038: HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 7324edbe5102… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft FTP
Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022.
Open source URL -
[2]
Linux FTP
N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022.
Open source URL -
[3]
mitre-attack S0095Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.