Download ZIP

clickfix-remedy-suggestions.md · 4.9 KiB · Markdown Raw

**ClickFix** attacks rely on social engineering rather than software exploits. The user is tricked into copying or executing commands (often PowerShell) to “fix” a fake issue such as a CAPTCHA, browser error, or update. Because the user voluntarily runs the command, many traditional protections are bypassed. Effective defense requires restricting what a standard user can execute and detecting suspicious scripting activity. --- ## 1. Block or Constrain PowerShell Execution Most ClickFix payloads are delivered via PowerShell. **Controls:** * **PowerShell Constrained Language Mode** * **Disable PowerShell v2** * **Script Block Logging** * **Module Logging** * **Transcription Logging** Example hardening via GPO: ``` Computer Configuration Administrative Templates Windows Components Windows PowerShell Turn on Script Block Logging Turn on Module Logging Turn on PowerShell Transcription ``` Recommended execution policy: ``` Set-ExecutionPolicy AllSigned ``` For higher security environments: ``` Disable PowerShell for non-admin users ``` or use **AppLocker / WDAC** to restrict PowerShell entirely. --- ## 2. Application Allow-Listing (Very Effective) ClickFix often launches: * `powershell.exe` * `cmd.exe` * `mshta.exe` * `wscript.exe` * `cscript.exe` * `rundll32.exe` * `regsvr32.exe` Use allow-listing to prevent standard users from launching these unless required. ### Option A — AppLocker Create rules such as: Allow: ``` %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe ``` Only for **IT admins group**, not standard users. Block: ``` cmd.exe powershell.exe mshta.exe wscript.exe cscript.exe ``` for regular users. ### Option B — Windows Defender Application Control (WDAC) Stronger than AppLocker. Policies can enforce: * only signed Microsoft binaries * only approved scripts * block script interpreters entirely --- ## 3. Attack Surface Reduction (ASR) Rules These are extremely useful for this attack class. Enable these rules in Microsoft Defender: Key rules: **Block Office applications from creating child processes** ``` GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A ``` **Block executable content from email and webmail** ``` GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 ``` **Block credential stealing from LSASS** ``` GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 ``` **Block process creation from PSExec/WMI** ``` GUID: D1E49AAC-8F56-4280-B9BA-993A6D77406C ``` ASR dramatically reduces post-click exploitation. --- ## 4. Block Dangerous LOLBins ClickFix attacks frequently use “Living Off the Land Binaries”. Block for standard users: ``` mshta.exe regsvr32.exe rundll32.exe powershell.exe cmd.exe wscript.exe cscript.exe bitsadmin.exe certutil.exe ``` This can be done with: * AppLocker * WDAC * EDR policies --- ## 5. Browser Protections Most ClickFix attacks begin in the browser. Enforce policies for: * block **clipboard access prompts** * disable **automatic downloads** * disable **“paste into console” warnings bypass** Chrome/Edge enterprise policies: ``` ClipboardAllowedFormats = restricted DefaultDownloadRestrictions = 3 ``` Additionally: Enable **SmartScreen**. --- ## 6. DNS / Web Filtering Block known delivery domains. Good protection layers: * DNS filtering * Secure web gateway * block newly registered domains Recommended: * block domains <30 days old * block dynamic DNS providers --- ## 7. Endpoint Detection Look for suspicious command patterns like: ``` powershell -enc powershell -nop powershell -w hidden iex (new-object net.webclient) curl | powershell ``` Monitoring tools should alert on: * encoded PowerShell * clipboard-to-terminal patterns * child processes spawned by browsers --- ## 8. Disable PowerShell from Browser Context Many attacks launch PowerShell via browser. Block this chain: ``` browser -> powershell browser -> cmd browser -> mshta ``` Defender / EDR rules can block **browser-spawned script interpreters**. --- ## 9. User Copy-Paste Protection Some EDR tools now block suspicious clipboard commands. Policies: * prevent pasting commands containing * `powershell` * `iex` * `downloadstring` into terminals. --- ## 10. Security Awareness (Still Required) Even with strong controls, user behavior matters. Train users: Never paste commands from websites into: * PowerShell * Terminal * Command Prompt Legitimate IT support **never instructs users to paste commands**. --- # Practical Enterprise Baseline (Recommended) For an organization like the infrastructure you are designing: 1. **WDAC allow-listing** 2. **ASR rules enabled** 3. **PowerShell logging + constrained mode** 4. **block LOLBins for standard users** 5. **DNS filtering** 6. **EDR detection for encoded PowerShell** This combination stops the vast majority of ClickFix attacks. --- If useful, a next step can be provided: **A hardened Windows security baseline specifically designed to block ClickFix-style attacks (AppLocker + ASR + PowerShell GPO examples).**

ClickFix attacks rely on social engineering rather than software exploits. The user is tricked into copying or executing commands (often PowerShell) to “fix” a fake issue such as a CAPTCHA, browser error, or update. Because the user voluntarily runs the command, many traditional protections are bypassed.

Effective defense requires restricting what a standard user can execute and detecting suspicious scripting activity.

1. Block or Constrain PowerShell Execution

Most ClickFix payloads are delivered via PowerShell.

Controls:

PowerShell Constrained Language Mode
Disable PowerShell v2
Script Block Logging
Module Logging
Transcription Logging

Example hardening via GPO:

Computer Configuration
  Administrative Templates
    Windows Components
      Windows PowerShell
        Turn on Script Block Logging
        Turn on Module Logging
        Turn on PowerShell Transcription

Recommended execution policy:

Set-ExecutionPolicy AllSigned

For higher security environments:

Disable PowerShell for non-admin users

or use AppLocker / WDAC to restrict PowerShell entirely.

2. Application Allow-Listing (Very Effective)

ClickFix often launches:

powershell.exe
cmd.exe
mshta.exe
wscript.exe
cscript.exe
rundll32.exe
regsvr32.exe

Use allow-listing to prevent standard users from launching these unless required.

Option A — AppLocker

Create rules such as:

Allow:

%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe

Only for IT admins group, not standard users.

Block:

cmd.exe
powershell.exe
mshta.exe
wscript.exe
cscript.exe

for regular users.

Option B — Windows Defender Application Control (WDAC)

Stronger than AppLocker.

Policies can enforce:

only signed Microsoft binaries
only approved scripts
block script interpreters entirely

3. Attack Surface Reduction (ASR) Rules

These are extremely useful for this attack class.

Enable these rules in Microsoft Defender:

Key rules:

Block Office applications from creating child processes

GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Block executable content from email and webmail

GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

Block credential stealing from LSASS

GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2

Block process creation from PSExec/WMI

GUID: D1E49AAC-8F56-4280-B9BA-993A6D77406C

ASR dramatically reduces post-click exploitation.

4. Block Dangerous LOLBins

ClickFix attacks frequently use “Living Off the Land Binaries”.

Block for standard users:

mshta.exe
regsvr32.exe
rundll32.exe
powershell.exe
cmd.exe
wscript.exe
cscript.exe
bitsadmin.exe
certutil.exe

This can be done with:

AppLocker
WDAC
EDR policies

5. Browser Protections

Most ClickFix attacks begin in the browser.

Enforce policies for:

block clipboard access prompts
disable automatic downloads
disable “paste into console” warnings bypass

Chrome/Edge enterprise policies:

ClipboardAllowedFormats = restricted
DefaultDownloadRestrictions = 3

Additionally:

Enable SmartScreen.

6. DNS / Web Filtering

Block known delivery domains.

Good protection layers:

DNS filtering
Secure web gateway
block newly registered domains

Recommended:

block domains <30 days old
block dynamic DNS providers

7. Endpoint Detection

Look for suspicious command patterns like:

powershell -enc
powershell -nop
powershell -w hidden
iex (new-object net.webclient)
curl | powershell

Monitoring tools should alert on:

encoded PowerShell
clipboard-to-terminal patterns
child processes spawned by browsers

8. Disable PowerShell from Browser Context

Many attacks launch PowerShell via browser.

Block this chain:

browser -> powershell
browser -> cmd
browser -> mshta

Defender / EDR rules can block browser-spawned script interpreters.

9. User Copy-Paste Protection

Some EDR tools now block suspicious clipboard commands.

Policies:

prevent pasting commands containing
- powershell
- iex
- downloadstring

into terminals.

10. Security Awareness (Still Required)

Even with strong controls, user behavior matters.

Train users:

Never paste commands from websites into:

PowerShell
Terminal
Command Prompt

Legitimate IT support never instructs users to paste commands.

Practical Enterprise Baseline (Recommended)

For an organization like the infrastructure you are designing:

WDAC allow-listing
ASR rules enabled
PowerShell logging + constrained mode
block LOLBins for standard users
DNS filtering
EDR detection for encoded PowerShell

This combination stops the vast majority of ClickFix attacks.

If useful, a next step can be provided:

A hardened Windows security baseline specifically designed to block ClickFix-style attacks (AppLocker + ASR + PowerShell GPO examples).