DNS Query by Finger Utility

 1title: DNS Query by Finger Utility
 2id: c082c2b0-525b-4dbc-9a26-a57dc4692074
 3related:
 4    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
 5      type: similar
 6    - id: af491bca-e752-4b44-9c86-df5680533dbc
 7      type: similar
 8status: experimental
 9description: |
10    Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
11    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
12    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
13    Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.    
14references:
15    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-11-19
18tags:
19    - attack.command-and-control
20    - attack.t1071.004
21    - attack.execution
22    - attack.t1059.003
23logsource:
24    product: windows
25    category: dns_query
26detection:
27    selection:
28        Image|endswith: '\finger.exe'
29    condition: selection
30falsepositives:
31    - Unlikely
32level: high