**ClickFix** attacks rely on social engineering rather than software exploits. The user is tricked into copying or executing commands (often PowerShell) to “fix” a fake issue such as a CAPTCHA, browser error, or update. Because the user voluntarily runs the command, many traditional protections are bypassed. Effective defense requires restricting what a standard user can execute and detecting suspicious scripting activity. --- ## 1. Block or Constrain PowerShell Execution Most ClickFix payloads are delivered via PowerShell. **Controls:** * **PowerShell Constrained Language Mode** * **Disable PowerShell v2** * **Script Block Logging** * **Module Logging** * **Transcription Logging** Example hardening via GPO: ``` Computer Configuration Administrative Templates Windows Components Windows PowerShell Turn on Script Block Logging Turn on Module Logging Turn on PowerShell Transcription ``` Recommended execution policy: ``` Set-ExecutionPolicy AllSigned ``` For higher security environments: ``` Disable PowerShell for non-admin users ``` or use **AppLocker / WDAC** to restrict PowerShell entirely. --- ## 2. Application Allow-Listing (Very Effective) ClickFix often launches: * `powershell.exe` * `cmd.exe` * `mshta.exe` * `wscript.exe` * `cscript.exe` * `rundll32.exe` * `regsvr32.exe` Use allow-listing to prevent standard users from launching these unless required. ### Option A — AppLocker Create rules such as: Allow: ``` %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe ``` Only for **IT admins group**, not standard users. Block: ``` cmd.exe powershell.exe mshta.exe wscript.exe cscript.exe ``` for regular users. ### Option B — Windows Defender Application Control (WDAC) Stronger than AppLocker. Policies can enforce: * only signed Microsoft binaries * only approved scripts * block script interpreters entirely --- ## 3. Attack Surface Reduction (ASR) Rules These are extremely useful for this attack class. Enable these rules in Microsoft Defender: Key rules: **Block Office applications from creating child processes** ``` GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A ``` **Block executable content from email and webmail** ``` GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 ``` **Block credential stealing from LSASS** ``` GUID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 ``` **Block process creation from PSExec/WMI** ``` GUID: D1E49AAC-8F56-4280-B9BA-993A6D77406C ``` ASR dramatically reduces post-click exploitation. --- ## 4. Block Dangerous LOLBins ClickFix attacks frequently use “Living Off the Land Binaries”. Block for standard users: ``` mshta.exe regsvr32.exe rundll32.exe powershell.exe cmd.exe wscript.exe cscript.exe bitsadmin.exe certutil.exe ``` This can be done with: * AppLocker * WDAC * EDR policies --- ## 5. Browser Protections Most ClickFix attacks begin in the browser. Enforce policies for: * block **clipboard access prompts** * disable **automatic downloads** * disable **“paste into console” warnings bypass** Chrome/Edge enterprise policies: ``` ClipboardAllowedFormats = restricted DefaultDownloadRestrictions = 3 ``` Additionally: Enable **SmartScreen**. --- ## 6. DNS / Web Filtering Block known delivery domains. Good protection layers: * DNS filtering * Secure web gateway * block newly registered domains Recommended: * block domains <30 days old * block dynamic DNS providers --- ## 7. Endpoint Detection Look for suspicious command patterns like: ``` powershell -enc powershell -nop powershell -w hidden iex (new-object net.webclient) curl | powershell ``` Monitoring tools should alert on: * encoded PowerShell * clipboard-to-terminal patterns * child processes spawned by browsers --- ## 8. Disable PowerShell from Browser Context Many attacks launch PowerShell via browser. Block this chain: ``` browser -> powershell browser -> cmd browser -> mshta ``` Defender / EDR rules can block **browser-spawned script interpreters**. --- ## 9. User Copy-Paste Protection Some EDR tools now block suspicious clipboard commands. Policies: * prevent pasting commands containing * `powershell` * `iex` * `downloadstring` into terminals. --- ## 10. Security Awareness (Still Required) Even with strong controls, user behavior matters. Train users: Never paste commands from websites into: * PowerShell * Terminal * Command Prompt Legitimate IT support **never instructs users to paste commands**. --- # Practical Enterprise Baseline (Recommended) For an organization like the infrastructure you are designing: 1. **WDAC allow-listing** 2. **ASR rules enabled** 3. **PowerShell logging + constrained mode** 4. **block LOLBins for standard users** 5. **DNS filtering** 6. **EDR detection for encoded PowerShell** This combination stops the vast majority of ClickFix attacks. --- If useful, a next step can be provided: **A hardened Windows security baseline specifically designed to block ClickFix-style attacks (AppLocker + ASR + PowerShell GPO examples).**