rules/windows/process_creation/proc_creation_win_finger_execution.yml

title: Finger.EXE Execution
id: af491bca-e752-4b44-9c86-df5680533dbc
status: test
description: |
    Detects execution of the "finger.exe" utility.
    Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
    Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
references:
    - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
    - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
author: Florian Roth (Nextron Systems), omkar72, oscd.community
date: 2021-02-24
modified: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'finger.exe'
        - Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Admin activity (unclear what they do nowadays with finger.exe)
level: high
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes 2024-07-17 11:04:05 +02:00			`title: Finger.EXE Execution`
rule: finger.exe execution 2021-02-24 17:47:56 +01:00			`id: af491bca-e752-4b44-9c86-df5680533dbc`
$frack113$ Merge PR #4479 From @frack113 - Upgrade Rules Status 2023-10-17 14:35:26 +02:00			`status: test`
Merge PR #4888 from @nasbench - Add multiple new rules, updates and fixes 2024-07-17 11:04:05 +02:00			`description: \|`
			`Detects execution of the "finger.exe" utility.`
			`Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.`
			`Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.`
rule: finger.exe execution 2021-02-24 17:47:56 +01:00			`references:`
			`- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12`
			`- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/`
Added the author of the duplicated rule (finger.exe) 2021-03-07 23:20:21 +03:00			`- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems), omkar72, oscd.community`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2021-02-24`
			`modified: 2024-06-27`
rule: finger.exe execution 2021-02-24 17:47:56 +01:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.command-and-control`
rule: finger.exe execution 2021-02-24 17:47:56 +01:00			`- attack.t1105`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
Rule Update 2022-08-17 20:27:55 +01:00			`- OriginalFileName: 'finger.exe'`
			`- Image\|endswith: '\finger.exe'`
rule: finger.exe execution 2021-02-24 17:47:56 +01:00			`condition: selection`
			`falsepositives:`
			`- Admin activity (unclear what they do nowadays with finger.exe)`
Rule Update 2022-08-17 20:27:55 +01:00			`level: high`