Network Connection Initiated via Finger.EXE

 1title: Network Connection Initiated via Finger.EXE
 2id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
 3related:
 4    - id: c082c2b0-525b-4dbc-9a26-a57dc4692074
 5      type: similar
 6    - id: af491bca-e752-4b44-9c86-df5680533dbc
 7      type: similar
 8status: experimental
 9description: |
10    Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
11    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
12    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
13    Investigating such network connections can also help identify potential malicious infrastructure used by threat actors    
14references:
15    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-11-19
18tags:
19    - attack.command-and-control
20    - attack.t1071.004
21    - attack.execution
22    - attack.t1059.003
23logsource:
24    category: network_connection
25    product: windows
26detection:
27    selection:
28        Initiated: 'true'
29        Image|endswith: '\finger.exe'
30    condition: selection
31falsepositives:
32    - Unlikely
33level: high