capa-rules/collection/file-managers/gather-filezilla-information.yml at v9.0.0 · mandiant/capa-rules · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
rule:
  meta:
    name: gather filezilla information
    namespace: collection/file-managers
    authors:
      - "@_re_fox"
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Credential Access::Credentials from Password Stores [T1555]
    references:
      - https://filezilla-project.org/
    examples:
      - 5a2f620f29ca2f44fc22df67b674198f:0x4057A7
  features:
    - or:
      - and:
        - substring: "\\sitemanager.xml"
        - substring: "\\recentservers.xml"
        - substring: "\\filezilla.xml"
      - and:
        - substring: "Software\\FileZilla"
        - string: "Install_Dir"
        - substring: "Software\\FileZilla Client"
      - 3 or more:
        - string: "Server Type"
        - string: "Remote Dir"
        - string: "Server.Port"
        - string: "Server.Host"
        - string: "Server.User"
        - string: "Last Server Type"
        - string: "Last Server Port"
        - string: "Last Server User"
        - string: "Last Server Host"
        - string: "Last Server Pass"