5
509322
@Lockdown,
I edited my previous post, because blocking execution via WMI was related to Exploit Protection mitigation "Do not allow child processes", but not to the ASR rule "Block Office applications from creating child processes" (false memory). So, probably your note about direct system calls is also related to this Exploit Protection mitigation.
Microsoft Windows spaghetti protection. If I test, I say a quick prayer before I start so I don't get sucked into the abyss.
Spaghetti protection is OK for researchers and geeks, but for people who rely on it, Oh boy...