This detection rule focuses on identifying instances where network connections are initiated via the `finger.exe` utility on Windows systems. The `finger` protocol, a relic from earlier computing eras, can be exploited by malicious actors to fetch remote commands for execution. Its use in recent attack campaigns, particularly the ClickFix malware incidents, underscores its relevance in threat detection. Adversaries may leverage this utility to establish command-and-control (C2) communications, making its detection critical for early intervention. The regulation of such network connections can lead to the identification of malicious actors utilizing outdated and uncommon tools for their operations. Given the uncommon nature of `finger.exe` in contemporary Windows networks, any active instances raise alerts for potential malicious activity. Investigators should thus focus on these connections to uncover any associated malicious infrastructure.