DNS Query by Finger Utility

Rule Info

Name
DNS Query by Finger Utility
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
Reference
https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
Date
2025-11-19 00:00:00
Modified
None
Id
c082c2b0-525b-4dbc-9a26-a57dc4692074
Tags
attack.command-and-control attack.t1071.004 attack.execution attack.t1059.003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c082c2b0-525b-4dbc-9a26-a57dc4692074

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5763 from @swachchhanda000 - Update ClickFix/FileFix related rules
2025-11-28
3e9318e23
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022