ClickFix: How Attackers Exploited finger.exe for Stealthy Network Access in 2023
Executive Summary
In November 2023, organizations reported a wave of Living-off-the-Land (LotL) attacks known as ClickFix, in which adversaries abused the legacy finger.exe utility on Windows systems. Attackers exploited finger.exe to retrieve and execute malicious scripts by leveraging the finger protocol over TCP port 79, bypassing endpoint security tools that are often tuned for more common protocols. The technique allowed attackers to maintain stealthy communications and initial access, exposing corporate environments where outbound traffic controls were inadequate. No major ransomware group claimed responsibility, but the campaign highlighted increasing sophistication in LotL exploitation, putting enterprises at risk of lateral movement and data exfiltration.
This incident is highly relevant given the resurgence of attackers abusing built-in OS utilities to evade detection, as well as increased regulatory scrutiny over encrypted and segmented internal network traffic. Organizations must reevaluate their defenses against legacy protocol abuse.
Why This Matters Now
The abuse of finger.exe in ClickFix attacks exposes gaps in traditional proxy and firewall configurations, making it urgent for security teams to review egress controls for legacy protocols. As attackers pivot to less-monitored channels, organizations must adapt segmentation, anomaly detection, and zero trust controls to address such evolving Living-off-the-Land techniques.
Attack Path Analysis
The attack began when the adversary leveraged finger.exe as a Living-off-the-Land Binary to initiate an outbound connection and retrieve a malicious payload, bypassing proxy restrictions if not properly configured. After initial foothold, the attacker likely attempted to escalate privileges on the compromised host to expand access. With privilege, they sought opportunities for lateral movement across internal workloads. The attacker established command and control through the finger protocol over TCP port 79, evading weak outbound restrictions. They could then exfiltrate sensitive data disguised as benign traffic via this channel. Ultimately, the attacker could trigger malicious scripts or further business disruption depending on their payload's capability.
Kill Chain Progression
Initial Compromise
Description
Attacker used finger.exe to make an unauthorized outbound connection and download a malicious script, exploiting allowed direct access to TCP port 79 from a corporate environment.
Related CVEs
CVE-2021-34527
CVSS 8.8A remote code execution vulnerability exists in the Windows Print Spooler service, allowing attackers to execute arbitrary code with SYSTEM privileges.
Affected Products:
Microsoft Windows Print Spooler – All supported versions
Exploit Status:
exploited in the wildCVE-2021-1675
CVSS 7.8A remote code execution vulnerability exists in the Windows Print Spooler service, allowing attackers to execute arbitrary code with SYSTEM privileges.
Affected Products:
Microsoft Windows Print Spooler – All supported versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Signed Binary Proxy Execution: System Binary
Ingress Tool Transfer
Application Layer Protocol: Web Protocols
Archive Collected Data
Exfiltration Over Web Service
Obfuscated Files or Information
Indicator Removal on Host: File Deletion
Commonly Used Port
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Restrict direct public access between the Internet and system components
Control ID: 1.3.4
NYDFS 23 NYCRR 500 – Limitations on Data Retention
Control ID: 500.13
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Network Segmentation and Explicit Monitoring
Control ID: Network Pillar: Monitoring & Segmentation
NIS2 Directive – Implementing policies for handling network and information system risks
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ClickFix attacks using finger.exe bypass proxy controls, threatening transaction systems and customer data through living-off-the-land techniques requiring enhanced egress filtering.
Health Care / Life Sciences
Finger protocol attacks exploit legacy Windows systems in medical environments, potentially compromising patient data and violating HIPAA compliance through undetected lateral movement.
Government Administration
Living-off-the-land finger.exe attacks pose critical risks to government networks by circumventing traditional security controls and enabling covert command-and-control communications.
Education Management
Educational institutions face elevated risks from ClickFix campaigns leveraging finger.exe, as mixed proxy environments and legacy systems create security gaps.
Sources
- 
Finger.exe & ClickFix, (Sun, Nov 16th)https://isc.sans.edu/diary/rss/32492Verified
- ClickFix campaign leverages finger.exe to trick users into running malicious commandshttps://cyberpress.org/clickfix-campaign/Verified
- Experts warn ClickFix malware attacks are back, and more dangerous than ever before - here's how to stay safehttps://www.techradar.com/pro/security/experts-warn-clickfix-malware-attacks-are-back-and-more-dangerous-than-ever-beforeVerified
- Windows Finger command abused by phishing to download malwarehttps://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strict egress enforcement, and traffic visibility would have limited or blocked finger.exe's ability to establish unauthorized external connections, hindering the kill chain at multiple stages and preventing lateral movement and exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unsanctioned ports like TCP 79 would be blocked.
Control: Multicloud Visibility & Control
Mitigation: Suspicious privilege escalation attempts would be detected via baselining.
Control: Zero Trust Segmentation
Mitigation: Unauthorized east-west movement between workloads would be prevented.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 channels over non-standard ports would be detected and blocked.
Control: Inline IPS (Suricata)
Mitigation: Sensitive data transfers over suspicious protocols would be identified inline.
Real-time threat detection would accelerate containment and mitigate impact.
Impact at a Glance
Affected Business Functions
- IT Operations
- Security Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive user credentials and internal communications due to malware execution.
Recommended Actions
Key Takeaways & Next Steps
- • Apply strict egress filtering to block direct outbound access to unsanctioned Internet ports (e.g., TCP 79) from workloads.
- • Deploy Zero Trust segmentation and microsegmentation to prevent lateral attacker movement and contain breaches.
- • Enable cloud-native firewalling and inline IPS to detect and block Living-off-the-Land tool misuse and covert channels.
- • Enhance traffic visibility and anomaly detection to rapidly identify unauthorized protocol use and escalation attempts.
- • Regularly review and enforce centralized, workload-to-workload and outbound policy controls to maintain least-privilege posture.
