v2.2.0 - Complete Security Hardening Framework (632 Settings)

2026-03-09 18:32:54 +01:00 · 2025-12-08 10:32:49 +01:00 · 2025-12-08 10:32:49 +01:00 · ba364813ed
commit ba364813ed
195 changed files with 43788 additions and 0 deletions
--- a/Modules/AdvancedSecurity/Private/Block-FingerProtocol.ps1
+++ b/Modules/AdvancedSecurity/Private/Block-FingerProtocol.ps1
@ -0,0 +1,107 @@
+function Block-FingerProtocol {
+    <#
+    .SYNOPSIS
+        Blocks outbound connections to TCP Port 79 (Finger protocol) via Windows Firewall
+        
+    .DESCRIPTION
+        Creates a Windows Firewall rule to block all outbound connections to TCP port 79,
+        preventing abuse of the finger.exe command in ClickFix malware campaigns.
+        
+        THREAT: ClickFix attacks use finger.exe to retrieve commands from remote servers
+        on port 79, which are then piped to cmd.exe for execution.
+        
+        MITIGATION: Block outbound port 79 to prevent finger.exe from reaching C2 servers.
+        
+    .PARAMETER DryRun
+        Preview changes without applying them
+        
+    .EXAMPLE
+        Block-FingerProtocol
+        Blocks outbound finger protocol connections
+        
+    .NOTES
+        Author: NexusOne23
+        Version: 2.2.0
+        Requires: Administrator privileges
+        
+        REFERENCES:
+        - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
+        - https://redteamnews.com/threat-intelligence/clickfix-malware-campaigns-resurrect-decades-old-finger-protocol-for-command-retrieval/
+    #>
+    
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [switch]$DryRun
+    )
+    
+    try {
+        $ruleName = "NoID Privacy - Block Finger Protocol (Port 79)"
+        
+        Write-Log -Level INFO -Message "Checking for existing Finger protocol block rule..." -Module "AdvancedSecurity"
+        
+        # Check if rule already exists
+        $existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
+        
+        if ($existingRule) {
+            Write-Log -Level INFO -Message "Finger protocol block rule already exists" -Module "AdvancedSecurity"
+            
+            # Show user that protection is already active
+            Write-Host ""
+            Write-Host "Finger Protocol Block: Already Protected" -ForegroundColor Green
+            Write-Host "  Rule: $ruleName" -ForegroundColor Gray
+            Write-Host "  Status: Active (Outbound TCP port 79 blocked)" -ForegroundColor Gray
+            Write-Host "  Protection: ClickFix malware using finger.exe" -ForegroundColor Gray  
+            Write-Host ""
+            
+            return $true
+        }
+        
+        if ($DryRun) {
+            Write-Log -Level INFO -Message "[DRYRUN] Would create firewall rule to block outbound TCP port 79" -Module "AdvancedSecurity"
+            return $true
+        }
+        
+        Write-Log -Level INFO -Message "Creating Windows Firewall rule to block outbound finger protocol (TCP 79)..." -Module "AdvancedSecurity"
+        
+        # Create outbound firewall rule
+        $ruleParams = @{
+            DisplayName   = $ruleName
+            Description   = "Blocks outbound connections to TCP port 79 (Finger protocol) to prevent ClickFix malware attacks. The finger.exe command is abused to retrieve malicious commands from remote servers."
+            Direction     = "Outbound"
+            Action        = "Block"
+            Protocol      = "TCP"
+            RemotePort    = 79
+            Profile       = "Any"
+            Enabled       = "True"
+            ErrorAction   = "Stop"
+        }
+        
+        New-NetFirewallRule @ruleParams | Out-Null
+        
+        # Verify rule was created
+        $verifyRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
+        
+        if ($verifyRule) {
+            Write-Log -Level SUCCESS -Message "Finger protocol (TCP port 79) outbound connections blocked" -Module "AdvancedSecurity"
+            Write-Log -Level INFO -Message "ClickFix malware campaigns using finger.exe are now mitigated" -Module "AdvancedSecurity"
+            
+            Write-Host ""
+            Write-Host "Firewall Rule Created:" -ForegroundColor Green
+            Write-Host "Name: $ruleName" -ForegroundColor Gray
+            Write-Host "Blocks: Outbound TCP port 79 (Finger protocol)" -ForegroundColor Gray
+            Write-Host "Protection: ClickFix malware using finger.exe" -ForegroundColor Gray
+            Write-Host ""
+            
+            return $true
+        }
+        else {
+            Write-Log -Level ERROR -Message "Firewall rule creation failed - verification unsuccessful" -Module "AdvancedSecurity"
+            return $false
+        }
+    }
+    catch {
+        Write-Log -Level ERROR -Message "Failed to create finger protocol block rule: $_" -Module "AdvancedSecurity" -Exception $_.Exception
+        return $false
+    }
+}