<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ftp-Client - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ftp-client/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:24:43 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ftp-client/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unusual FileZilla XML Configuration File Access</title><link>https://feed.craftedsignal.io/briefs/2026-07-unusual-filezilla-xml-config-access/</link><pubDate>Fri, 03 Jul 2026 13:24:43 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-unusual-filezilla-xml-config-access/</guid><description>This brief details a detection strategy for processes other than legitimate FileZilla or OneDrive clients attempting to access sensitive FileZilla FTP client configuration files, specifically `recentservers.xml` and `sitemanager.xml`, leveraging Windows Security Event Log 4663 to identify potential credential theft or data exfiltration.</description><content:encoded><![CDATA[<p>This intelligence brief focuses on detecting suspicious access patterns to FileZilla FTP client's sensitive XML configuration files on Windows systems. Threat actors often target these files, such as <code>recentservers.xml</code> and <code>sitemanager.xml</code>, because they can contain stored credentials, server connection details, and historical session information. The detection specifically identifies instances where processes other than the legitimate <code>filezilla.exe</code> or <code>onedrive.exe</code> attempt to read or modify these critical files. Such activity is highly indicative of post-exploitation credential access or data exfiltration attempts by malicious software, including stealers like Quasar RAT or Phantom Stealer, seeking to harvest valuable data. Early detection of this behavior is crucial for preventing broader network compromise and mitigating the risk of sensitive data exposure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>(No attack chain is provided as the source describes a detection technique for post-exploitation behavior, not a full end-to-end attack narrative from initial access.)</p>
<h2 id="impact">Impact</h2>
<p>If this activity goes undetected, it can lead to severe consequences for an organization. Attackers can exfiltrate credentials stored in FileZilla's configuration files, granting them unauthorized access to FTP servers and potentially other network resources. This credential theft can facilitate lateral movement within the network, further data exfiltration from sensitive servers, or the delivery of additional malware. The compromise of FTP accounts can also lead to website defacement or disruption of services, impacting business operations and reputation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable &quot;Audit Object Access&quot; for both &quot;Success&quot; and &quot;Failure&quot; on Windows Group Policy and ensure Windows Security Event Log 4663 is collected, as required for the detection rule.</li>
<li>Deploy the <code>Detect Unusual FileZilla XML Config Access</code> Sigma rule to your SIEM and tune it for your environment, specifically by whitelisting any legitimate third-party applications that are known to access FileZilla configuration files.</li>
<li>Regularly review alerts generated by the <code>Detect Unusual FileZilla XML Config Access</code> rule, investigating the <code>ProcessName</code> and <code>Caller_User_Name</code> of any unauthorized access attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>windows</category><category>credential-access</category><category>ftp-client</category></item></channel></rss>