Finger.EXE Execution

calendar Nov 27, 2025 · attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

Sigma rule (View on GitHub)

 1title: Finger.EXE Execution
 2id: af491bca-e752-4b44-9c86-df5680533dbc
 3related:
 4    - id: c082c2b0-525b-4dbc-9a26-a57dc4692074
 5      type: similar
 6    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
 7      type: similar
 8status: test
 9description: |
10    Detects execution of the "finger.exe" utility.
11    Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
12    Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.    
13references:
14    - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
15    - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
16    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
17author: Florian Roth (Nextron Systems), omkar72, oscd.community
18date: 2021-02-24
19modified: 2024-06-27
20tags:
21    - attack.command-and-control
22    - attack.t1105
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection:
28        - OriginalFileName: 'finger.exe'
29        - Image|endswith: '\finger.exe'
30    condition: selection
31falsepositives:
32    - Admin activity (unclear what they do nowadays with finger.exe)
33level: high
34regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • ANY.RUN

    Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.


    Read More

  • [+] Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.alterv...


    Read More

Related rules

to-top