Detectionhighexperimental

DNS Query by Finger Utility

Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Wed Nov 19c082c2b0-525b-4dbc-9a26-a57dc4692074windows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

bleepingcomputer.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control TA0002 · Execution

Sub-techniques

T1071.004 · DNS T1059.003 · Windows Command Shell

Related Rules

SimilarDetectionhigh

Network Connection Initiated via Finger.EXE

Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such network connections can also help identify potential malicious infrastructure used by threat actors

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Finger.EXE Execution

Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

c082c2b0-525b-4dbc-9a26-a57dc4692074

Status

experimental

Level

high

Type

Detection

Created

Wed Nov 19

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/dns_query/dns_query_win_finger.yml

Raw Tags

attack.command-and-controlattack.t1071.004attack.executionattack.t1059.003

View on GitHub