OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

FTP Enumeration - Anonymous account + Files & Directories exposed 

Endpoint Security Validation
Detection Rule Validation

概要

This scenario will allow you to easily identify FTP servers allowing Anonymous access

This scenario simulates a reconnaissance technique used to identify FTP servers that allow anonymous login and expose sensitive files or directories without authentication. Anonymous FTP access is a legacy feature that permits users to log in using a generic “anonymous” or “ftp” account, often without a password or using a placeholder like an email address. While intended for public file sharing, this configuration can inadvertently expose critical or sensitive information when not properly managed.

The scenario attempts to connect to FTP services across the target network using anonymous credentials. If successful, it lists accessible directories and enumerates files to assess the level of exposure. Many threat actors use this method early in the attack chain to gather publicly available information (e.g., system configs, backup files, application code, credentials) before launching more targeted attacks. This test provides organizations with visibility into weak FTP configurations, especially in legacy or mismanaged environments, and supports efforts to decommission insecure services or tighten access controls.

Objective:

  • Detect FTP servers that allow unauthenticated (anonymous) access.
  • Identify files and directories exposed to anonymous users.
  • Help prevent data leakage, misconfiguration, or unintentional file disclosure.

Use Case:

  • Network reconnaissance and attack surface reduction.
  • Legacy system audits and infrastructure hygiene.
  • Purple team simulations for data exposure detection.
  • Enhancing detection rules for unusual FTP activity in SIEM platforms.

Tactics & Techniques:

  • Tactic: Discovery / Collection (MITRE ATT&CK: TA0007 / TA0009)
  • Technique: File and Directory Discovery – [T1083]
  • Technique: Exploit Public-Facing Application – [T1190] (in post-exploitation contexts)

Impact:

This scenario is non-intrusive and does not modify or exfiltrate any files. It solely connects using anonymous credentials and reads directory listings and filenames. However, it may generate FTP log entries or alerts on intrusion detection systems, especially those configured to flag anonymous logins or directory traversal.

Detection Tips:

Security teams can monitor for:

  • FTP logins from external or internal sources using anonymous or ftp usernames.
  • Directory listings (LIST, NLST) or file downloads by unauthenticated users.
  • Unusual access patterns or automated enumeration behavior.
  • Consider integrating FTP logs into SIEM tools and applying behavioral rules to detect bulk listing or file access attempts from unauthorized users.
  • Recommended Mitigations:
  • Disable anonymous access on all FTP servers unless explicitly required.
  • Enforce strong authentication and use FTPS or SFTP instead of plain FTP.
  • Apply strict file and directory permissions for all public or shared folders.
  • Monitor FTP logs regularly for unauthorized access or misconfigurations.
  • Decommission legacy FTP services in favor of modern, secure alternatives.

References:

  • OWASP FTP Security Guidelines
  • CIS Controls: Secure Configuration of Network Services
  • NIST SP 800-123: Guide to General Server Security

基本情報

Filigran
Sébastien Miguel
2026年7月01日
1.17.0
100+
40+

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。