Finger.EXE Execution

About the rule

Rule Type

Standard

Rule Description

Finger.exe is a legacy Windows command-line utility originally designed to retrieve user information from remote systems using the Finger protocol. While rarely used in modern enterprise environments, attackers may abuse finger.exe to perform reconnaissance, enumerate users, or even exfiltrate data by communicating with malicious remote servers.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → Reconnaissance/Abuse of finger.exe → Impact

Impact

• Reconnaissance and enumeration
• User and host information disclosure
• Command and control communication
• Data exfiltration
• Defense evasion

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Ingress Tool Transfer (T1105)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of the execution of finger.exe, especially with unusual or externally facing command-line arguments. This enables you to review process usage, analyze the context of finger.exe invocations, and quickly identify unauthorized or suspicious use of the utility. Such monitoring strengthens your organization’s defense posture and enables rapid detection and investigation of potential external reconnaissance or data leakage attempts.

Author

Florian Roth (Nextron Systems), omkar72, oscd.community

Future actions

Known False Positives

This rule may trigger during legitimate use of finger.exe in rare, sanctioned troubleshooting or administrative scenarios. Review command-line arguments, the destination server, and the initiating user or service to determine legitimacy.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update allowlists and detection rules to reflect any confirmed legitimate use, and continue monitoring for anomalous executions of finger.exe in the environment.

Mitigation