gather direct-ftp information

rule:
  meta:
    name: gather direct-ftp information
    namespace: collection/file-managers
    authors:
      - "@_re_fox"
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Credential Access::Credentials from Password Stores [T1555]
    references:
      - https://www.coffeecup.com/software/
    examples:
      - 5a2f620f29ca2f44fc22df67b674198f:0x40DC62
  features:
    - or:
      - substring: "Software\\CoffeeCup Software\\Internet\\Profiles"
      - substring: "\\CoffeeCup Software"
      - and:
        - string: "Password"
        - string: "HostName"
        - string: "Port"
        - string: "Username"
        - string: "HostDirName"
      - 2 or more:
        - substring: "\\SharedSettings.ccs"
        - substring: "\\SharedSettings.sqlite"
        - string: /\\SharedSettings[0-9_\.]{2,7}\.ccs/
        - string: /\\SharedSettings[0-9_\.]{2,7}\.sqlite/
      - and:
        - string: "FTP destination server"
        - string: "FTP destination user"
        - string: "FTP destination password"
        - string: "FTP destination port"
        - string: "FTP destination catalog"
        - string: "FTP profiles"