Skip to main content

Search

Breadcrumb - FileZilla Profile

Overview

The FileZilla Profile Breadcrumb creates a saved FileZilla connection that points to a Canary running FTP.

Attackers commonly inspect saved FTP client sessions while looking for file stores, shared data, backups, or operational systems. Placing a believable FileZilla profile on systems an attacker is likely to explore can help steer reconnaissance and lateral movement toward your Canaries.

Placement Ideas

Good locations for FileZilla Profile Breadcrumbs include:

  • Web or content management systems: Place profiles on systems used to upload website content, media assets, or application files.
  • Shared operational workstations: Place profiles on systems used to transfer reports, backups, or internal data between systems.
  • Jump boxes or bastion hosts: Place profiles within operational accounts or on systems used to access internal infrastructure.
  • IT support and administration systems: Place profiles on systems where administrators regularly manage file transfers to servers, appliances, or hosted services.

Follow the steps below to create a FileZilla Profile Breadcrumb:

Step 1: Log in to your Console
 

Console Login.png

Step 2: Confirm FTP is enabled on the Canary

Click the Canary you want to use for the FileZilla Profile Breadcrumb and confirm that the FTP service is enabled.

FileZilla Profile - Breadcrumb - FTP Service Enabled.gif

Step 3: Open the Breadcrumbs tile on your Flock

Once you have confirmed that FTP is enabled, open the Breadcrumbs tile to create and download the FileZilla Profile Breadcrumb.

Breadcrumb - Tile Card.png

Step 4: Select the Breadcrumb

Select FileZilla Profile from the list of available Breadcrumbs.

Note

If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.

FileZilla Profile - Breadcrumb - Select.png

Step 5: Select the Canary

  1. Select the Canary from the drop-down list. In this example, we have selected the Office-NAS-02 Canary.

  2. Select Create to create the Breadcrumb.

Note

If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.

FileZilla Profile - Breadcrumb - Create.png

Step 6: Download the Breadcrumb.

Select Download Breadcrumb to download the Breadcrumb XML file.

The download section contains the following:

  1. crumb – Displays the XML configuration that will create the saved FileZilla connection. 
  2. Download Breadcrumb – Downloads an XML file containing all the information required to deploy the FileZilla Profile Breadcrumb.
FileZilla Profile - Breadcrumb - Download.png

Step 7: Deploy the Breadcrumb on the target host

Copy the downloaded XML file to the target host and import it into FileZilla.

In this example, the imported Breadcrumb creates a saved FileZilla connection named Office-NAS-02, which is now visible in the Site Manager.

FileZilla Profile - Breadcrumb - Deployed.png

Alerts

Note

Alert Type: FTP Login Attempt
This is the standard FTP Login Attempt alert generated by the Canary. The alert contains the FTP connection details associated with the login attempt, including the username and credentials used, source IP address, and additional alert information.

FTP - Breadcrumb - Alert.png

You’ve made it!

thinkst-canary-inyoni.gif

Was this article helpful?
0 out of 0 found this helpful
Return to top