Finger.EXE Execution

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

Sigma rule (View on GitHub)

 1title: Finger.EXE Execution
 2id: af491bca-e752-4b44-9c86-df5680533dbc
 3status: test
 4description: |
 5    Detects execution of the "finger.exe" utility.
 6    Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
 7    Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.    
 8references:
 9    - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
10    - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
11    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
12author: Florian Roth (Nextron Systems), omkar72, oscd.community
13date: 2021-02-24
14modified: 2024-06-27
15tags:
16    - attack.command-and-control
17    - attack.t1105
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        - OriginalFileName: 'finger.exe'
24        - Image|endswith: '\finger.exe'
25    condition: selection
26falsepositives:
27    - Admin activity (unclear what they do nowadays with finger.exe)
28level: high

References

Related rules

to-top