ftp.exe
- File Path:
C:\windows\SysWOW64\ftp.exe - Description: File Transfer Program
Hashes
| Type | Hash |
|---|---|
| MD5 | 378AB44C0CFEC574F0AC5DE6DF3A587C |
| SHA1 | 52F5C2A192799ECF70A6BD7A7383852F4D698A66 |
| SHA256 | 736BFFD8C2EE02CD432004BBC539CA48BD664F17887B85B4DCA51D0A9EA3251F |
| SHA384 | 638A3BD8428C7537C64E38922BDA9C6CBF87F9C2842C49767D9ECFAF71AE17B744090A6DBD0DBCC0785BB17936021BEB |
| SHA512 | 67544C897FFCDEB12EF436CBC27F8116C8F8FF2A9BBEFE26BEE0DB32AEA7702E2ADA50837F6EC39B30E397EF644EFF44BE8BCE1213F93B64783C7652E739AB28 |
| SSDEEP | 768:5uchzUdgNq3Rq7m5njFJlR/lmxEchdqsYAGrosn3sHJiC38uzvGYgKPFR:5uchzUF3R7F9oMBFy38uzv1F |
Signature
- Status: The file C:\windows\SysWOW64\ftp.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: ftp.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of ftp.exe being misused. While ftp.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_ftp.yml | title: Suspicious ftp.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_ftp.yml | description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_ftp.yml | Image\|endswith: 'ftp.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_ftp.yml | OriginalFileName\|contains: 'ftp.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_ftp.yml | ParentImage\|endswith: 'ftp.exe' |
DRL 1.0 |
| LOLBAS | Ftp.yml | Name: Ftp.exe |
|
| LOLBAS | Ftp.yml | Usecase: Spawn new process using ftp.exe. Ftp.exe runs cmd /C YourCommand |
|
| LOLBAS | Ftp.yml | Usecase: Spawn new process using ftp.exe. Ftp.exe downloads the binary. |
|
| LOLBAS | Ftp.yml | - Path: C:\Windows\System32\ftp.exe |
|
| LOLBAS | Ftp.yml | - Path: C:\Windows\SysWOW64\ftp.exe |
|
| LOLBAS | Ftp.yml | - IOC: cmd /c as child process of ftp.exe |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
ftp
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Transfers files to and from a computer running a File Transfer Protocol (ftp) server service. This command can be used interactively or in batch mode by processing ASCII text files.
Syntax
ftp [-v] [-d] [-i] [-n] [-g] [-s:<filename>] [-a] [-A] [-x:<sendbuffer>] [-r:<recvbuffer>] [-b:<asyncbuffers>][-w:<windowssize>][<host>] [-?]
Parameters
| Parameter | Description |
|---|---|
| -v | Suppresses display of remote server responses. |
| -d | Enables debugging, displaying all commands passed between the FTP client and FTP server. |
| -i | Disables interactive prompting during multiple file transfers. |
| -n | Suppresses auto-login upon initial connection. |
| -g | Disables file name globbing. Glob permits the use of the asterisk (*) and question mark (?) as wildcard characters in local file and path names. |
-s:<filename> |
Specifies a text file that contains ftp commands. These commands run automatically after ftp starts. This parameter allows no spaces. Use this parameter instead of redirection (<). Note: In Windows 8 and Windows Server 2012 or later operating systems, the text file must be written in UTF-8. |
| -a | Specifies that any local interface can be used when binding the ftp data connection. |
| -A | Logs onto the ftp server as anonymous. |
-x:<sendbuffer> |
Overrides the default SO_SNDBUF size of 8192. |
-r:<recvbuffer> |
Overrides the default SO_RCVBUF size of 8192. |
-b:<asyncbuffers> |
Overrides the default async buffer count of 3. |
-w:<windowssize> |
Specifies the size of the transfer buffer. The default window size is 4096 bytes. |
<host> |
Specifies the computer name, IP address, or IPv6 address of the ftp server to which to connect. The host name or address, if specified, must be the last parameter on the line. |
| -? | Displays help at the command prompt. |
Remarks
-
The ftp command-line parameters are case-sensitive.
-
This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.
-
The ftp command can be used interactively. After it is started, ftp creates a sub-environment in which you can use ftp commands. You can return to the command prompt by typing the quit command. When the ftp sub-environment is running, it is indicated by the
ftp >command prompt. For more information, see the ftp commands. -
The ftp command supports the use of IPv6 when the IPv6 protocol is installed.
Examples
To log on to the ftp server named ftp.example.microsoft.com, type:
ftp ftp.example.microsoft.com
To log on to the ftp server named ftp.example.microsoft.com and run the ftp commands contained in a file named resync.txt, type:
ftp -s:resync.txt ftp.example.microsoft.com
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.