The rule detects DNS queries initiated by the 'finger' utility on Windows devices, which may be exploited by threat actors for command execution. The finger utility is increasingly rare in modern Windows environments, making its use suspicious. Past malware campaigns, particularly the ClickFix campaign, have utilized the finger protocol to send commands from a remote server to compromised machines. This detection rule aims to identify such activities to uncover potential command and control (C2) communications and associated malicious infrastructure. Investigating these DNS queries can provide insights into unauthorized access attempts and potential threats.