This site uses cookies for analytics and to improve your experience. By clicking Accept, you consent to our use of cookies. Learn more in our privacy policy.

Home
About
System Admin
Tech
Home Lab
Rambles
Deals
Lifestyle
Threats
Weekly Digest
Advisories
Security
Phishing Updates
Threat Intelligence
Image Scraper
Contact

Mitigating Win+X paste attacks with PowerShell settings

Use this blueprint to harden Windows Terminal and PowerShell, reduce exposure and detect post-compromise behaviour. You get clear settings, AppLocker and WDAC guidance, logging checks and audits you can run to implement Win+X paste attack hardening now.

Win+X paste attack hardening: a UK admin blueprint for Windows Terminal and PowerShell

ClickFix-style lures are shifting from Run (Win+R) to the Windows + X shortcut, then asking victims to paste commands into Windows Terminal. The paste bypasses many simple awareness checks and hands a shell to an attacker. This blueprint gives concrete settings, detection checks and policy rules to reduce that risk on Windows endpoints. Apply the steps below to harden Windows Terminal and PowerShell, audit common persistence mechanisms, and detect post-compromise behaviour such as hex-encoded payloads and LOLBin abuse.

ClickFix mitigation

Describe the attack briefly to users. Tell them no legitimate support will ever ask for Win+X then paste random text. Keep the message short and repeat it in onboarding and desktop prompts. Run short simulated phishing tests that include the Win+X vector and measure click rates.

Technical controls

  • Block or constrain how Windows Terminal (wt.exe) is launched. Use AppLocker GPO rules or Windows Defender Application Control (WDAC) to restrict wt.exe to administrative machines only. Allow wt.exe only from System32 paths and only for specific AD groups when possible.
  • Create AppLocker rules that deny execution of renamed binaries that mimic trusted tools, for example 7z.exe renamed as 7-zip.exe. Use file hash or publisher rules for signed apps where feasible.
  • Prevent easy LOLBin abuse. Author rules that restrict MSBuild.exe, regsvr32.exe and rundll32.exe to expected paths and signing. Prefer path plus publisher rules rather than broad filename blocks; this reduces false positives while preventing common misuse.

Detection and response

  • Audit ScriptBlockLogging and ModuleLogging to get full PowerShell command visibility. Turn on transcription for sensitive hosts to capture pasted commands.
  • Audit scheduled tasks and services. Run Get-ScheduledTask and schtasks /Query to find unexpected entries. Schedule tasks are a common persistence method after a ClickFix paste.
  • Perform a Microsoft Defender exclusions audit. Use PowerShell: Get-MpPreference | Select -ExpandProperty ExclusionPath and ExclusionProcess to list exclusions. Remove any that allow attacker activity.

User controls and training

  • Teach the simple rule: never paste commands received via chat, email or web prompts. Show an example of a hex-decoding command and why it is malicious.
  • Provide an approved sandbox or jump box for users to paste benign diagnostic commands when support genuinely requires input. Make the workflow official and logged.

PowerShell hardening

Execution policy and language constraints

  • Set a restrictive execution policy via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Execution, set to “Allow only signed scripts” or apply Set-ExecutionPolicy Restricted -Force on endpoints that do not need scripts. Use GPO rather than local registry where possible so the policy cannot be easily changed by a non-admin.
  • Enforce Constrained Language Mode for user sessions that do not require full language features. Apply AppLocker or WDAC rules to map to allowed modules and block dynamic code features for standard users.

Logging and telemetry

  • Enable ScriptBlockLogging and ModuleLogging via Group Policy or registry so pasted commands appear in event logs. Registry keys:
    • HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging = 1
    • HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging = 1
    • HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames = * (or list modules to catch)
  • Turn on PowerShell transcription on high-risk hosts so full session input is recorded: set registry or GPO values under Windows PowerShell\Transcription, and define an output directory on a centralised, writable server.

Application control policies

  • Use AppLocker GPO rules to allow only signed PowerShell scripts from trusted publishers, or use hash rules for known in-house scripts. Start in audit mode, collect logs, then move to enforcement.
  • For servers and high-value desktops, deploy WDAC with a baseline whitelist that permits only explicitly signed binaries. Use managed policies to reduce admin churn.

Detecting hex-encoded payloads and LOLBin techniques

  • Add detection rules for common decoding patterns used in paste attacks. Watch for PowerShell expressions like:
    • [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(
    • [Convert]::FromBase64String(
    • [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(
  • Add simple regex detection for hex sequences that decode to shellcode, for example: (?i)(?:0x)?([0-9A-F]{2}\s?){30,} — tune length to reduce false positives. Apply these rules in EDR or SIEM ingestion and in ScriptBlockLogging parsing.
  • Monitor for renamed trusted binaries. Detect executions where 7z.exe or 7za.exe run from user temp folders or downloads. Alert on MSBuild.exe launches from non-standard paths or when its parent process is a browser.

Persistence cleanup and verification

  • Schedule a regular sweep for suspicious persistence artefacts. Use PowerShell:
    • Get-ScheduledTask | Where-Object { $.TaskPath -like ‘\Microsoft\Windows*’ -or $.Author -like ‘*’ } to flag odd tasks.
    • Get-Service to list unusual services and sc.exe query for unknown entries.
  • Audit and remove Microsoft Defender exclusions with:
    • $prefs = Get-MpPreference; $prefs.ExclusionPath; $prefs.ExclusionProcess; $prefs.ExclusionExtension
    • Remove-MpPreference -ExclusionPath “C:\path\ o\bad”; use with care.
  • Check for credible post-exploit indicators: renamed 7-Zip executable, scheduled tasks created within a short window after a suspicious login, Defender exclusion additions, and child processes of browsers that indicate process injection.

Operational steps to apply now

  1. Set ScriptBlockLogging and transcription on the most exposed endpoints first. Confirm logs arrive in the SIEM.
  2. Deploy AppLocker audit rules that block msbuild.exe and 7z.exe from non-system locations. Monitor for blocked events.
  3. Run a Defender exclusions audit and remove any unexpected entries. Log all changes centrally.
  4. Search for hex-encoded strings and common decode calls across recent ScriptBlockLogging events. Label any matches for investigation.
  5. Train staff with a short triage script: if prompted to paste or run code via Win+X, close the page, capture the URL, and contact support through the official channel.

Final takeaways
Treat Win+X paste attack hardening as a combination of people, policy and detection. Turn on logging, lock down execution and application control policies, audit persistence points and Microsoft Defender exclusions, and train users with a single clear rule about pasted commands. These measures cut the attack surface for ClickFix-style lures and make post-compromise activity such as scheduled task persistence, LOLBin misuse and hex-encoded payloads far easier to detect and remove.

Reference: Computerworld technical advisory on ClickFix campaigns (use for threat context): https://www.computerworld.com/article/4141964/clickfix-attackers-using-new-tactic-to-evade-detection-says-microsoft-2.html

0
0
0
0
Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0