Windows Finger.exe used as Lolbas

Cyber Key
2 min readFeb 8, 2021


Finger.exe is designed for a local user to retrieve a list of users on a remote machine or information about a particular remote user. Attackers can use this binary as a file downloader and C2 channel to evade defenses and hide malicious activities used in Living Of The Land attacks (Lolbas). In recent analysis, we also found that operators of the Astaroth malware, also called Guildma, started using this binary in their attacks to execute remote malicious code from the initial payload of the threat.

Here is an example of a command executed on the new Astaroth malware payloads:

“finger.exe|more +2 | cmd”

Hunting for suspicious activities with finger.exe

Typically, the FINGER protocol uses the standard port (79) that organizations often block. However, it is essential to monitor for suspicious activity, mainly due to recent malware usage.
Below is a simple Splunk Rule, Sigma Rule, followed by mapping via Mitre Attack® technique to help the security community identify finger.exe in the environment.

Possible Splunk Rule:

index=(your index) EventID=1 (finger (Image=C:\\Windows\\System32\\finger.exe) CommandLine=”*@*”) 
| stats count by Computer User EventID CommandLine Image

Sigma Rule

title: Lolbas Windows Finger.exe
description: Detects suspicious activities when Finger.exe (legitimate Windows binary) is used for file downloads, or attempts to communicate with C2 channels.
* attack.defense_evasion
* attack.Signed Binary Proxy Execution
* attack.T1218
* MitreLink:
status: experimental
author: Keilly Santos
date: 2021/02/08
modified: 2021/02/08
product: windows
service: sysmon
EventID: 1
Image | endswith: finger.exe
CommandLine | contain: *@*
condition: selection
falsepositives: unknown
level: high


Hope it helps.
Happy hunting! =D