A collection of cybersecurity content.

Hunting Indirect Command Execution Using FTP

Intro

Ftp.exe can be used for starting arbitrary processes and commands. Indirect Command Execution is a technique used by adversaries to execute arbitrary commands through a trusted system or application. Adversaries use this technique to evade security controls and conceal their actions, making it difficult for defenders to detect and prevent malicious activity.

Did you know you can use FTP to initiate commands and start arbitrary processes locally using ‘!‘?

What is FTP?

The ftp client is a widely used tool for transferring files to and from an FTP server. IT administrators and other technical users often use the ftp client for routine file management and system administration tasks, such as transferring large files or automating file transfers in batch mode.

The ftp client is also used by adversaries to transfer files and execute arbitrary commands as part of an attack. By leveraging the ftp client in combination with other techniques, such as indirect command execution or obfuscation, red teams can evade detection and conceal their actions. This makes it a feasible option among attackers who are looking to evade security controls.

How it Works

We now have a general idea of what FTP is used for. Reading about FTP usage with Microsoft documentation, we can see that FTP can use the ‘-s‘ switch to “[specify] a text file that contains ftp commands [and] these commands run automatically after ftp starts.”

An interesting note that is not mentioned there is the ! symbol and its significance. When ftp is used in combination with the ! symbol, the ftp client is capable of executing processes and commands on the local system. The ! symbol acts as an escape mechanism that allows the ftp client to run processes and commands on the local system, rather than on the remote FTP server.

Proof of Concept

Let’s see this in action by issuing the following command to write the instructions to the script file we’ll eventually call with ftp.

echo !calc > C:\temp\ftp_command_test.txt

With the instructions of !calc now residing inside the file, we can now use ftp to execute this program with the following command:

ftp -s:C:\temp\ftp_command_test.txt

Success!

So we can execute processes in this manner. This leads to another thought…

Is it possible to run a process with a specific instruction, such as pinging a specific IP address, and save the results to an output file using a script file as instructions for the ftp client to follow?

echo "!ping 10.6.7.8 > C:\temp\ping_output.txt" > C:\temp\ftp_command_test.txt
ftp -s:C:\temp\ftp_command_test.txt

Adversaries may not use benign commands like pinging an IP address, but instead opt for more malicious instructions. It is crucial to detect these actions, so we need to investigate what is happening in the background in order to identify indicators that can trigger alerts.

Detection

Detect this behavior by identifying instances of ‘cmd.exe /c‘ with a parent process of ftp.exe.

The execution of a process or command using the ! symbol in the ftp client is achieved by calling ‘cmd.exe /c'. Ftp issues ‘cmd.exe /c‘ to perform the commands local on the system. Blue teams should be aware of this behavior and monitor for process trees where ftp is the parent process of cmd.exe where cmd.exe is running the ‘/c‘ switch. This type of process tree structure is not typical in most environments and may indicate the presence of a security incident. It is important for blue teams to thoroughly investigate and assess such behavior to ensure the security of the environment.

Process Tree as seen with Process Hacker
Conclusion

Ftp is a versatile tool that offers a range of features for IT teams. However, its capabilities can also be exploited by malicious actors who seek to evade detection by executing commands through unconventional means. The ! symbol within the ftp client enables the execution of processes and commands on the local system, and presents a security concern for organizations.

As such, it is crucial for security teams to monitor for unusual or outlier patterns in host telemetry, network activity, system logs, and to implement security controls to minimize the risk of exploitation (application whitelisting goes a long way). By staying vigilant and aware of the potential threats posed by the ftp client, security teams can ensure the integrity and security of their environment.


Posted

in

, , , ,

by