Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 1057844" data-attributes="member: 32260">It is not possible to stop the RedTeams, except when making the computer unusable.Your RedTeam most probably <s>exploits</s> abuses Svchost by injecting the DLL or shellcode.You can try to identify what is exploited by using the combination of Hard_Configurator (set to block also Administrators + block all LOLBins) and strict WDAC policy (only Windows and Microsoft binaries allowed, dynamic code trust, no ISG). Do not forget to make a System Restore Point. This setup should be applied before the RedTeam attack. Next, you must inspect the H_C security log and WDAC events.Your RedTem probably knows your Admin credentials, Microsoft Account passwords&nbsp; (and others too), so it will be hard to prevent their actions.Edit.I am not sure if you are on the right way. You should not focus on stopping your RedTeam but rather on using the setup that can demotivate other RedTeams and hackers.</blockquote>

[QUOTE="Andy Ful, post: 1057844, member: 32260"] It is not possible to stop the RedTeams, except when making the computer unusable. Your RedTeam most probably [S]exploits[/S] abuses Svchost by injecting the DLL or shellcode. You can try to identify what is exploited by using the combination of Hard_Configurator (set to block also Administrators + block all LOLBins) and strict WDAC policy (only Windows and Microsoft binaries allowed, dynamic code trust, no ISG). Do not forget to make a System Restore Point. This setup should be applied before the RedTeam attack. Next, you must inspect the H_C security log and WDAC events. Your RedTem probably knows your Admin credentials, Microsoft Account passwords (and others too), so it will be hard to prevent their actions. Edit. I am not sure if you are on the right way. You should not focus on stopping your RedTeam but rather on using the setup that can demotivate other RedTeams and hackers. [/QUOTE]

Verification