File Transfer Protocols

In the Deepening Control phase, attackers leverage File Transfer Protocols as a C2 channel to establish persistent communication with compromised systems while evading detection. This sub-technique utilizes standard protocols like FTP, SFTP, FTPS, SCP, and TFTP for command transmission and exfiltration, exploiting their legitimate presence in corporate environments. Adversaries encode commands within file transfers or utilize these protocols' control channels for direct command execution, benefiting from the protocols' encryption capabilities (particularly in SFTP and FTPS) to obscure malicious traffic. Unlike web protocols that might face strict proxy inspection, file transfer protocols often receive less scrutiny in network monitoring systems, creating security blind spots. Detection requires analyzing anomalous connection patterns, unusual file transfers, unexpected protocol usage, and monitoring for unauthorized encrypted sessions established through these standard network services.