Try it out with a one-liner (from elevated PS):
> ConvertFrom-CIPolicy -XmlFilePath C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
Then reboot.
Did you know that you can completely neutralize Doppelganging, Herpaderping, and some other Process Buzzwording techniques by applying literally any WDAC (Device Guard) policy? Even an AllowAll one?
Those things will simply be unable to run with WDAC enabled.
Here's an exhaustive look at our Identity IOCs and the patterns we see, in the hopes that our Identity partners in the industry can use this to help protect our mutual customers (and customers can protect themselves). Happy Hunting. aka.ms/solorigateidentityioc…
💥😱 @tiraniddo added "named pipe RPC client transport" to NtObjectManager 🔥 Thank you very much James for all your work 👏!
I'll create PS scripts to cover a few scenarios 🍻 (Img 4)
If anyone would like to help me, let me know 😉 @OTR_Communitygithub.com/Cyb3rWard0g/WinRp…