The rule detects the execution of the "finger.exe" utility on Windows systems. Finger.exe is an archaic network utility used primarily to query information about users on remote computers, commonly associated with UNIX systems. Due to its age and the infrequency of the finger service being utilized in modern environments, any instance of this utility being executed is viewed as suspicious. The rule applies to process creation logs and triggers alerts when it identifies instances where the execution of finger.exe occurs, indicating potential unauthorized access or command-and-control activity. Given its rarity, legitimate use cases are minimal, but some administrative functions may still necessitate its execution, which could lead to false positive alerts. The detection logic specifically targets instances where the file name or image path ends with "finger.exe".