Merge PR SigmaHQ#5863 from @swachchhanda000 - Add finger.exe to related rules

swachchhanda000 · web-flow · commit dc3880459dee · 2026-02-16T12:50:13.000+01:00
update: Potential Defense Evasion Via Rename Of Highly Relevant Binaries - add finger.exe
update: System File Execution Location Anomaly - add finger.exe
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
@@ -19,9 +19,10 @@ references:
     - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
     - https://twitter.com/christophetd/status/1164506034720952320
     - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
+    - https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
 author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
 date: 2019-06-15
-modified: 2024-12-03
+modified: 2026-02-12
 tags:
     - attack.defense-evasion
     - attack.t1036.003
@@ -41,6 +42,7 @@ detection:
               - 'cmstp.exe'
               - 'cscript.exe'
               - 'IE4UINIT.EXE'
+              - 'finger.exe'
               - 'mshta.exe'
               - 'msiexec.exe'
               - 'msxsl.exe'
@@ -62,6 +64,7 @@ detection:
             - '\cmstp.exe'
             - '\cscript.exe'
             - '\ie4uinit.exe'
+            - '\finger.exe'
             - '\mshta.exe'
             - '\msiexec.exe'
             - '\msxsl.exe'
diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml
@@ -12,7 +12,7 @@ references:
     - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
 author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2017-11-27
-modified: 2025-11-23
+modified: 2026-02-12
 tags:
     - attack.defense-evasion
     - attack.t1036
@@ -41,6 +41,7 @@ detection:
             - '\dllhst3g.exe'
             - '\dwm.exe'
             - '\eventvwr.exe'
+            - '\finger.exe'
             - '\logonui.exe'
             - '\LsaIso.exe'
             - '\lsass.exe'
