Taggart 

I put together some thoughts on the mitigation advice regarding "ClickFix" attacks.

https://taggart-tech.com/clickfix/

ClickFix Fixes Ranked

The cool thing about ClickFix remediation is nobody walks away happy.

May 17 at 8:30pmWeb
Show threadSaltmyhashMay 19
@mttaggart Are you experiencing issues with your site taggart-tech.com? I am getting connection errors when trying to view your ClickFix article and tried on multiple OSes, browsers, etc.
Show threadTaggart May 19
@saltmyhash It's Codeberg: https://status.codeberg.org/status/codeberg
Codeberg Service Status

This is an overview of the Codeberg Infrastructure. Uptime stats are calculated over the past 24 hours only. The 14-days uptime of our primary instance is

Show threadll  May 20

@mttaggart Great summary, thanks. We're currently trying the Windows Firewall route, to block a bunch of LOLBINs (mshta, wscript, cscript, conhost, runScriptHelper) to go to the internet, keeping local network allowed. Any luck with that approach? Effectiveness: 3 | Annoyance: 1?

I believe it comes from Pingcastle:
https://pingcastle.com/PingCastleFiles/ad_hc_rules_list.html
"Verify if there are restrictions for internet connectivity of script engines"

PingCastle Health Check rules - 2024-11-13

PingCastle report

Show threadTaggart May 20
@ll That's how you'd kill PowerShell outbound as well. Are you including that?
Show threadll  May 20
@mttaggart Not for now. Impact too uncertain. However, I feel like Defender is getting better at blocking clickfix especially when it is directly powershell to Internet. Maybe because it's inspected via AMSI?