Unusual FileZilla XML Configuration File Access
This brief details a detection strategy for processes other than legitimate FileZilla or OneDrive clients attempting to access sensitive FileZilla FTP client configuration files, specifically `recentservers.xml` and `sitemanager.xml`, leveraging Windows Security Event Log 4663 to identify potential credential theft or data exfiltration.
This intelligence brief focuses on detecting suspicious access patterns to FileZilla FTP client's sensitive XML configuration files on Windows systems. Threat actors often target these files, such as recentservers.xml and sitemanager.xml, because they can contain stored credentials, server connection details, and historical session information. The detection specifically identifies instances where processes other than the legitimate filezilla.exe or onedrive.exe attempt to read or modify these critical files. Such activity is highly indicative of post-exploitation credential access or data exfiltration attempts by malicious software, including stealers like Quasar RAT or Phantom Stealer, seeking to harvest valuable data. Early detection of this behavior is crucial for preventing broader network compromise and mitigating the risk of sensitive data exposure.
Attack Chain
(No attack chain is provided as the source describes a detection technique for post-exploitation behavior, not a full end-to-end attack narrative from initial access.)
Impact
If this activity goes undetected, it can lead to severe consequences for an organization. Attackers can exfiltrate credentials stored in FileZilla's configuration files, granting them unauthorized access to FTP servers and potentially other network resources. This credential theft can facilitate lateral movement within the network, further data exfiltration from sensitive servers, or the delivery of additional malware. The compromise of FTP accounts can also lead to website defacement or disruption of services, impacting business operations and reputation.
Recommendation
- Enable "Audit Object Access" for both "Success" and "Failure" on Windows Group Policy and ensure Windows Security Event Log 4663 is collected, as required for the detection rule.
- Deploy the
Detect Unusual FileZilla XML Config AccessSigma rule to your SIEM and tune it for your environment, specifically by whitelisting any legitimate third-party applications that are known to access FileZilla configuration files. - Regularly review alerts generated by the
Detect Unusual FileZilla XML Config Accessrule, investigating theProcessNameandCaller_User_Nameof any unauthorized access attempts.
Detection coverage 1
Detect Unusual FileZilla XML Config Access
highDetects processes other than FileZilla or OneDrive accessing sensitive FileZilla XML configuration files, indicating potential credential theft from Windows Security Event Log 4663.
Detection queries are available on the platform. Get full rules →