{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ftp-client/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FileZilla FTP Client"],"_cs_severities":["high"],"_cs_tags":["windows","credential-access","ftp-client"],"_cs_type":"advisory","_cs_vendors":["FileZilla Project"],"content_html":"\u003cp\u003eThis intelligence brief focuses on detecting suspicious access patterns to FileZilla FTP client's sensitive XML configuration files on Windows systems. Threat actors often target these files, such as \u003ccode\u003erecentservers.xml\u003c/code\u003e and \u003ccode\u003esitemanager.xml\u003c/code\u003e, because they can contain stored credentials, server connection details, and historical session information. The detection specifically identifies instances where processes other than the legitimate \u003ccode\u003efilezilla.exe\u003c/code\u003e or \u003ccode\u003eonedrive.exe\u003c/code\u003e attempt to read or modify these critical files. Such activity is highly indicative of post-exploitation credential access or data exfiltration attempts by malicious software, including stealers like Quasar RAT or Phantom Stealer, seeking to harvest valuable data. Early detection of this behavior is crucial for preventing broader network compromise and mitigating the risk of sensitive data exposure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e(No attack chain is provided as the source describes a detection technique for post-exploitation behavior, not a full end-to-end attack narrative from initial access.)\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf this activity goes undetected, it can lead to severe consequences for an organization. Attackers can exfiltrate credentials stored in FileZilla's configuration files, granting them unauthorized access to FTP servers and potentially other network resources. This credential theft can facilitate lateral movement within the network, further data exfiltration from sensitive servers, or the delivery of additional malware. The compromise of FTP accounts can also lead to website defacement or disruption of services, impacting business operations and reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026quot;Audit Object Access\u0026quot; for both \u0026quot;Success\u0026quot; and \u0026quot;Failure\u0026quot; on Windows Group Policy and ensure Windows Security Event Log 4663 is collected, as required for the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect Unusual FileZilla XML Config Access\u003c/code\u003e Sigma rule to your SIEM and tune it for your environment, specifically by whitelisting any legitimate third-party applications that are known to access FileZilla configuration files.\u003c/li\u003e\n\u003cli\u003eRegularly review alerts generated by the \u003ccode\u003eDetect Unusual FileZilla XML Config Access\u003c/code\u003e rule, investigating the \u003ccode\u003eProcessName\u003c/code\u003e and \u003ccode\u003eCaller_User_Name\u003c/code\u003e of any unauthorized access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:24:43Z","date_published":"2026-07-03T13:24:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-unusual-filezilla-xml-config-access/","summary":"This brief details a detection strategy for processes other than legitimate FileZilla or OneDrive clients attempting to access sensitive FileZilla FTP client configuration files, specifically `recentservers.xml` and `sitemanager.xml`, leveraging Windows Security Event Log 4663 to identify potential credential theft or data exfiltration.","title":"Unusual FileZilla XML Configuration File Access","url":"https://feed.craftedsignal.io/briefs/2026-07-unusual-filezilla-xml-config-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Ftp-Client","version":"https://jsonfeed.org/version/1.1"}