telnet.exe

  • File Path: C:\Windows\system32\telnet.exe
  • Description: Microsoft Telnet Client

Hashes

Type Hash
MD5 8EAE1ADEF9BF1A17B152F31C79088A88
SHA1 FE037BB6B345A866586A96D8E7A6EF6A23B4EF4D
SHA256 ABE72A168C332E2FCB493E85290744E7153ECD109A0B5FFD7FABBAAC339C673A
SHA384 49A1D098853F737A530C026903CB8093BD72793C2EA13A73671892D488F13BBADD9C534BDE44B3AB8689AC59194CB232
SHA512 4165E51FB605D3CD5671B0C4AD282A9645B2AE2193D923819C6BE45AE9427AD628488CE5877A69CEAE5ADA4505201B23C30202EE15CBF0FDD8E0CC72E5D95B8F
SSDEEP 3072:fR4CNuFPMRjUJdxKPggRqYx7XoQEYvkWEnqq:J4CM1MRQJdxKPggRqW76sAnq

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: telnetc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of telnet.exe being misused. While telnet.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma lnx_auditd_network_service_scanning.yml - '/telnet' DRL 1.0
sigma lnx_apt_equationgroup_lnx.yml - '/bin/telnet locip locport < /dev/console \| /bin/sh' DRL 1.0
sigma lnx_apt_equationgroup_lnx.yml - '&& telnet * 2>&1 </dev/console' DRL 1.0
sigma lnx_shell_susp_rev_shells.yml - ' \| /bin/bash \| telnet ' DRL 1.0
sigma proc_creation_macos_network_service_scanning.yml - '/telnet' DRL 1.0
sigma proc_creation_lnx_network_service_scanning.yml - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning DRL 1.0
sigma image_load_uac_bypass_via_dism.yml - Actions of a legitimate telnet client DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - telnet.exe DRL 1.0
sigma proc_creation_win_susp_plink_remote_forward.yml Description: 'Command-line SSH, Telnet, and Rlogin client' DRL 1.0
malware-ioc LinuxMooseETrules.txt alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"\|0e 00 00 00\|"; offset:4; depth:4; fast_pattern; content:!"\|00\|"; within:1; content:!"\|00\|"; distance:3; within:1; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:4; within:28; content:!"\|00 00 00 00\|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021149; rev:1;) © ESET 2014-2018
malware-ioc moose leveraging weak or default usernames and passwords via the Telnet protocol. If © ESET 2014-2018
atomic-red-team T1046.md Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1046.md telnet #{host} #{port} MIT License. © 2018 Red Canary
atomic-red-team T1046.md ##### Description: Check if telnet command exists on the machine MIT License. © 2018 Red Canary
atomic-red-team T1046.md if [ -x “$(command -v telnet)” ]; then exit 0; else exit 1; fi; MIT License. © 2018 Red Canary
atomic-red-team T1046.md (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet) MIT License. © 2018 Red Canary
atomic-red-team T1110.001.md * Telnet (23/TCP) MIT License. © 2018 Red Canary
atomic-red-team T1110.003.md * Telnet (23/TCP) MIT License. © 2018 Red Canary
atomic-red-team T1110.004.md * Telnet (23/TCP) MIT License. © 2018 Red Canary
atomic-red-team T1571.md Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful MIT License. © 2018 Red Canary
atomic-red-team T1571.md Testing uncommonly used port utilizing telnet. MIT License. © 2018 Red Canary
atomic-red-team T1571.md telnet #{domain} #{port} MIT License. © 2018 Red Canary
signature-base apt_eqgrp.yar $x5 = “-p DEST_PORT, –dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect port” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp.yar description = “EQGRP Toolset Firewall - from files ssh.py, telnet.py” CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $s2 = “Cut and paste the following to the telnet prompt:” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar description = “Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh” CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x2 = “Remote Usage: /bin/telnet locip locport < /dev/console | /bin/sh"” fullword ascii CC BY-NC 4.0
signature-base apt_fvey_shadowbroker_dec16.yar $s5 = “bll.telnet” fullword ascii CC BY-NC 4.0
signature-base apt_fvey_shadowbroker_dec16.yar $s1 = “/sbin/sh -c (mkdir /tmp/.X11R6; cd /tmp/.X11R6 && telnet” ascii CC BY-NC 4.0
signature-base generic_anomalies.yar $s1 = “SSH, Telnet and Rlogin client” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar description = “Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME” CC BY-NC 4.0
signature-base thor-hacktools.yar $s0 = “TELNET [host [port]]” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $s2 = “TELNET.EXE” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $s14 = “Software\Microsoft\Telnet” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar description = “Detects malicious telnet shell” CC BY-NC 4.0
signature-base thor-webshells.yar description = “Semi-Auto-generated - file telnet.pl.txt” CC BY-NC 4.0
signature-base thor-webshells.yar description = “Semi-Auto-generated - file telnet.cgi.txt” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


telnet

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Communicates with a computer running the telnet server service. Running this command without any parameters, lets you enter the telnet context, as indicated by the telnet prompt (Microsoft telnet>). From the telnet prompt, you can use telnet commands to manage the computer running the telnet client.

[!IMPORTANT] You must install the telnet client software before you can run this command. For more information, see Installing telnet.

Syntax

telnet [/a] [/e <escapechar>] [/f <filename>] [/l <username>] [/t {vt100 | vt52 | ansi | vtnt}] [<host> [<port>]] [/?]

Parameters

Parameter Description
/a Attempts automatic logon. Same as /l option, except that it uses the currently logged on user’s name.
/e <escapechar> Specifies the escape character used to enter the telnet client prompt.
/f <filename> Specifies the file name used for client side logging.
/l <username> Specifies the user name to log on with on the remote computer.
/t {vt100 | vt52 | ansi | vtnt} Specifies the terminal type. Supported terminal types are vt100, vt52, ansi, and vtnt.
<host> [<port>] Specifies the hostname or IP address of the remote computer to connect to, and optionally the TCP port to use (default is TCP port 23).
/? Displays help at the command prompt.

Examples

To use telnet to connect to the computer running the telnet Server Service at telnet.microsoft.com, type:

telnet telnet.microsoft.com

To use telnet to connect to the computer running the telnet Server Service at telnet.microsoft.com on TCP port 44 and ro log the session activity in a local file called telnetlog.txt, type:

telnet /f telnetlog.txt telnet.microsoft.com 44

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.