Another useful thread for defenders. Powerful auditing/blocking;
Application Control is one of the most common recommendations for making your environment that of an Apex Defender. While getting started can be daunting, these three simple lines of PowerShell are a HUGE start, and will audit every binary not from Windows or Microsoft. pic.twitter.com/ECjCFqjyj6
— Lee Holmes (@Lee_Holmes) December 19, 2020
There's some useful stuff in the comments too. If you are using Windows Defender Application Control;
Microsoft recommended block rules (Windows 10) - Windows security
View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
Microsoft recommended driver block rules (Windows 10) - Windows security
View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.