2025-12-08 10:32:49 +01:00
function Block-FingerProtocol {
<#
. SYNOPSIS
Blocks outbound connections to TCP Port 79 ( Finger protocol ) via Windows Firewall
. DESCRIPTION
Creates a Windows Firewall rule to block all outbound connections to TCP port 79 ,
preventing abuse of the finger . exe command in ClickFix malware campaigns .
THREAT : ClickFix attacks use finger . exe to retrieve commands from remote servers
on port 79 , which are then piped to cmd . exe for execution .
MITIGATION : Block outbound port 79 to prevent finger . exe from reaching C2 servers .
. PARAMETER DryRun
Preview changes without applying them
. EXAMPLE
Block-FingerProtocol
Blocks outbound finger protocol connections
. NOTES
Author : NexusOne23
2025-12-20 23:08:01 +01:00
Version : 2.2 . 1
2025-12-08 10:32:49 +01:00
Requires : Administrator privileges
REFERENCES :
- https : / / www . bleepingcomputer . com / news / security / decades-old -finger -protocol -abused -in -clickfix -malware -attacks /
- https : / / redteamnews . com / threat-intelligence / clickfix-malware -campaigns -resurrect -decades -old -finger -protocol -for -command -retrieval /
#>
[ CmdletBinding ( ) ]
param (
[ Parameter ( Mandatory = $false ) ]
[ switch ] $DryRun
)
try {
$ruleName = " NoID Privacy - Block Finger Protocol (Port 79) "
Write-Log -Level INFO -Message " Checking for existing Finger protocol block rule... " -Module " AdvancedSecurity "
# Check if rule already exists
$existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if ( $existingRule ) {
Write-Log -Level INFO -Message " Finger protocol block rule already exists " -Module " AdvancedSecurity "
# Show user that protection is already active
Write-Host " "
Write-Host " Finger Protocol Block: Already Protected " -ForegroundColor Green
Write-Host " Rule: $ruleName " -ForegroundColor Gray
Write-Host " Status: Active (Outbound TCP port 79 blocked) " -ForegroundColor Gray
Write-Host " Protection: ClickFix malware using finger.exe " -ForegroundColor Gray
Write-Host " "
return $true
}
if ( $DryRun ) {
Write-Log -Level INFO -Message " [DRYRUN] Would create firewall rule to block outbound TCP port 79 " -Module " AdvancedSecurity "
return $true
}
Write-Log -Level INFO -Message " Creating Windows Firewall rule to block outbound finger protocol (TCP 79)... " -Module " AdvancedSecurity "
# Create outbound firewall rule
$ruleParams = @ {
DisplayName = $ruleName
Description = " Blocks outbound connections to TCP port 79 (Finger protocol) to prevent ClickFix malware attacks. The finger.exe command is abused to retrieve malicious commands from remote servers. "
Direction = " Outbound "
Action = " Block "
Protocol = " TCP "
RemotePort = 79
Profile = " Any "
Enabled = " True "
ErrorAction = " Stop "
}
New-NetFirewallRule @ruleParams | Out-Null
# Verify rule was created
$verifyRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if ( $verifyRule ) {
Write-Log -Level SUCCESS -Message " Finger protocol (TCP port 79) outbound connections blocked " -Module " AdvancedSecurity "
Write-Log -Level INFO -Message " ClickFix malware campaigns using finger.exe are now mitigated " -Module " AdvancedSecurity "
Write-Host " "
Write-Host " Firewall Rule Created: " -ForegroundColor Green
Write-Host " Name: $ruleName " -ForegroundColor Gray
Write-Host " Blocks: Outbound TCP port 79 (Finger protocol) " -ForegroundColor Gray
Write-Host " Protection: ClickFix malware using finger.exe " -ForegroundColor Gray
Write-Host " "
return $true
}
else {
Write-Log -Level ERROR -Message " Firewall rule creation failed - verification unsuccessful " -Module " AdvancedSecurity "
return $false
}
}
catch {
Write-Log -Level ERROR -Message " Failed to create finger protocol block rule: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
return $false
}
}
