Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Finger.EXE Execution

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), omkar72, oscd.communityCreated Wed Feb 24Updated Thu Jun 27af491bca-e752-4b44-9c86-df5680533dbcwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        - OriginalFileName: 'finger.exe'
        - Image|endswith: '\finger.exe'
    condition: selection
False Positives

Admin activity (unclear what they do nowadays with finger.exe)

References
1
Resolving title…
twitter.com
2
Resolving title…
app.any.run
3
Resolving title…
hyp3rlinx.altervista.org
Testing & Validation

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

DNS Query by Finger Utility

Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Network Connection Initiated via Finger.EXE

Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such network connections can also help identify potential malicious infrastructure used by threat actors

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
af491bca-e752-4b44-9c86-df5680533dbc
Status
test
Level
high
Type
Detection
Created
Wed Feb 24
Modified
Thu Jun 27
Author
Florian Roth (Nextron Systems), omkar72, oscd.community
Path
rules/windows/process_creation/proc_creation_win_finger_execution.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub