{"Policies":[{"Id":"e8fe201f-63f0-446f-9150-d7fd43f06c3e","Name":"LOLBAS Examples","PolicyType":11,"Action":2,"KillRunningApps":true,"UIOnBlock":{"Id":"443d3fb0-3a79-44cd-b0b8-0299909aeae4","AllowedDialogType":"Block"},"UIOnStop":{"Id":"0a60d7ad-33ec-420c-9a4c-4986aa637dff","AllowedDialogType":"KillApp"},"PreviouslyAppGroup":false,"ConditionalEnforcement":[],"Audit":true,"Applications":[{"id":"f485a2ec-c01b-472b-9787-7558f8065e51","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"mmc.exe","compareAs":0,"caseSensitive":false},"ARGUMENTS":{"@type":"Text","content":"-Embedding","compareAs":1,"caseSensitive":false,"isEmpty":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"},"PARENT_PROCESS":{"@type":"ParentProcess","ApplicationGroupId":"fb7df165-bf10-477e-9f5c-96353611775d","AllAncestors":true,"isEmpty":false}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"03c26a11-785f-4189-aa64-4a48b5aa7b12","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"sqldumper.exe","compareAs":0,"caseSensitive":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Corporation"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"2501d507-80a0-491b-bb3b-27ce26ac788c","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"control.exe","compareAs":0,"caseSensitive":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"},"PARENT_PROCESS":{"@type":"ParentProcess","ApplicationGroupId":"fb7df165-bf10-477e-9f5c-96353611775d","AllAncestors":true,"isEmpty":false}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"173f4f84-4130-413b-bbf3-250e52974574","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"cmdkey.exe","compareAs":0,"caseSensitive":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"0bdbc703-70a6-40e0-91ed-fe1bd46ad73d","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"rpcping.exe","compareAs":0,"caseSensitive":false},"ARGUMENTS":{"@type":"Text","content":"-s","compareAs":1,"caseSensitive":false,"isEmpty":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"e225c75b-c097-4174-b931-5228e67aa03b","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"AtBroker.exe","compareAs":0,"caseSensitive":false},"ARGUMENTS":{"@type":"Text","content":"/start","compareAs":1,"caseSensitive":false,"isEmpty":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"},"PARENT_PROCESS":{"@type":"ParentProcess","ApplicationGroupId":"fb7df165-bf10-477e-9f5c-96353611775d","AllAncestors":true,"isEmpty":false}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"b5e81827-c694-456e-b831-6efdd311cad2","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"fodhelper.exe","compareAs":0,"caseSensitive":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"2fa83bf5-8a9e-48e0-9a50-ce3e5c89e7ef","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"ftp.exe","compareAs":0,"caseSensitive":false},"ARGUMENTS":{"@type":"Text","content":"-s:","compareAs":1,"caseSensitive":false,"isEmpty":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"38e2a379-fae7-4a9d-8610-3c41f7cd6f93","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"certutil.exe","compareAs":0,"caseSensitive":false},"ARGUMENTS":{"@type":"Text","content":"-urlcache -split","compareAs":1,"caseSensitive":false,"isEmpty":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false}],"Activation":{"ActivateDate":null,"DeactivateDate":null,"Scheduler":null,"AutoDelete":false},"Priority":40,"Executors":[],"IsAppliedToAllComputers":true,"Accounts":[],"IncludeAccounts":{"CollectionId":"00000000-0000-0000-0000-000000000000","CollectionName":"","Operator":0,"SelectedAccountCollection":[],"UserGroupCollection":[]},"ExcludeAccounts":{"CollectionId":"00000000-0000-0000-0000-000000000000","CollectionName":"","Operator":0,"SelectedAccountCollection":[],"UserGroupCollection":[]},"IncludeADComputerGroups":[],"ExcludeADComputerGroups":[],"Description":"These were the policies created that were necessary to represent many of the types of attacks that EPM protects against. Please download and use this as a template to extend your organizations ability to block LOLBAS attacks. ","IsActive":true,"LinkedAgentPolicies":[{"Id":"d9696fe7-1495-41ba-8f53-eb425edd3afa","PolicyType":3,"DefaultApplicationGroupId":"1454ea2f-d180-42fe-a79d-5767e01a4160"}]}],"AppGroups":[{"Id":"fb7df165-bf10-477e-9f5c-96353611775d","Name":"Command Line","PolicyType":14,"Applications":[{"id":"5873e556-cad0-47b7-973d-a7e132654088","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"Powershell.exe","compareAs":0,"caseSensitive":false},"LOCATION":{"@type":"Location","content":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\","withSubfolders":true,"caseSensitive":false,"isEmpty":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"2829990f-3162-46b7-aea2-0c2df9d9c4c9","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"FILE_NAME":{"@type":"FileName","hashAlgorithm":"","hash":"","hashSHA256":"","fileSize":0,"isEmpty":false,"content":"cmd.exe","compareAs":0,"caseSensitive":false},"LOCATION":{"@type":"Location","content":"C:\\Windows\\System32\\","withSubfolders":true,"caseSensitive":false,"isEmpty":false},"PUBLISHER":{"@type":"Publisher","signatureLevel":2,"separator":";","caseSensitive":true,"compareAs":0,"isEmpty":false,"content":"Microsoft Windows"}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false},{"id":"e8487776-0d8a-4a57-aed0-92308420f76f","internalId":0,"applicationType":3,"displayName":"","description":"","patterns":{"ORIGINAL_FILE_NAME":{"@type":"FileInfo","elementName":"FileVerInfo","attributeInfoName":"OriginalFilename","isEmpty":false,"content":"powershell.exe","compareAs":2,"caseSensitive":false}},"applicationGroupId":"00000000-0000-0000-0000-000000000000","internalApplicationGroupId":0,"includeInMatching":true,"accountId":"00000000-0000-0000-0000-000000000000","childProcess":false,"restrictOpenSaveFileDialog":true,"securityTokenId":"00000000-0000-0000-0000-000000000000","protectInstalledFiles":false}],"Description":"","LinkedAgentPolicies":[{"Id":"2ce3cbfa-c663-473d-86b7-343ba842fc72","PolicyType":2,"DefaultApplicationGroupId":"0cbb9b49-8b3d-432d-9c1e-9da835b8d4fa"}]}],"TrustSoftwareDistributors":[],"UserAccessTokens":[],"IdMapTokens":null,"EndUserUIs":[{"id":"443d3fb0-3a79-44cd-b0b8-0299909aeae4","category":"Dialogs","name":"Application Blocked","type":"Block","parameters":{"elements":[{"@type":"UIElement","name":"DialogTitle","type":"Text","isHidable":false,"isDisplay":true,"content":{"en":"Application Blocked"}},{"@type":"UIElement","name":"imgLogo","type":"Img","isHidable":true,"isDisplay":false,"content":{"en":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAfSURBVGhD7cEBAQAAAIIg/69uSEAAAAAAAAAAAMCJGiQwAAHA29C/AAAAAElFTkSuQmCC"}},{"@type":"UIElement","name":"lblCaption","type":"HTML","isHidable":true,"isDisplay":true,"content":{"en":"Application Blocked"}},{"@type":"UIElement","name":"lblInfo1Name","type":"HTML","isHidable":true,"isDisplay":true,"content":{"en":"Description"}},{"@type":"UIElement","name":"lblInfo1Value","type":"HTML","isHidable":false,"isDisplay":true,"content":{"en":"<$VF_TARGET_DISPLAY_NAME> (<$VF_FILE_NAME>)"}},{"@type":"UIElement","name":"lblInfo2Name","type":"HTML","isHidable":true,"isDisplay":true,"content":{"en":"Vendor"}},{"@type":"UIElement","name":"lblInfo2Value","type":"HTML","isHidable":false,"isDisplay":true,"content":{"en":"<$VF_COMPANYNAME_NAME>"}},{"@type":"UIElement","name":"lblInfo3Name","type":"HTML","isHidable":true,"isDisplay":true,"content":{"en":"Publisher"}},{"@type":"UIElement","name":"lblInfo3Value","type":"HTML","isHidable":false,"isDisplay":true,"content":{"en":"<$VF_PUBLISHER>"}},{"@type":"UIElement","name":"lblMessage","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Write your message here."}},{"@type":"UIElement","name":"lblJustification","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"<$VF_USER_DISPLAYNAME>, please provide the justification here:"}},{"@type":"UIElement","name":"lblJustificationOption0","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"I need application <$VF_FILE_DESCRIPTION> (<$VF_FILE_NAME>)"}},{"@type":"UIElement","name":"lblJustificationOption1","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Option 2"}},{"@type":"UIElement","name":"lblJustificationOption2","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Option 3"}},{"@type":"UIElement","name":"lblJustificationOption3","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Option 4"}},{"@type":"UIElement","name":"lblJustificationOption4","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Option 5"}},{"@type":"UIElement","name":"lblJustificationManual","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Enter justification:"}},{"@type":"UIElement","name":"MinJustificationLength","type":"Numeric","isHidable":false,"isDisplay":true,"content":{"en":"0"}},{"@type":"UIElement","name":"lblEmail","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Enter your email address to allow your System Administrator to notify you when this request is approved:"}},{"@type":"UIElement","name":"btnOK","type":"HTML","isHidable":false,"isDisplay":true,"content":{"en":"Close"}},{"@type":"UIElement","name":"btnRequestAuthorization","type":"HTML","isHidable":true,"isDisplay":false,"content":{"en":"Request Authorization"}},{"@type":"UIElement","name":"DialogTimeout","type":"Numeric","isHidable":false,"isDisplay":true,"content":{"en":"30"}}],"variables":[{"name":"USER","isCommon":true},{"name":"COMPUTERNAME","isCommon":true},{"name":"USERNAME","isCommon":true},{"name":"USERDOMAIN","isCommon":true},{"name":"USER_DISPLAYNAME","isCommon":true},{"name":"AGENT_VERSION","isCommon":true},{"name":"AGENT_PRODUCTNAME","isCommon":true},{"name":"AGENT_LAST_POLICY_UPDATE","isCommon":true},{"name":"AGENT_COMPANYNAME","isCommon":true},{"name":"AGENT_COPYRIGHT","isCommon":true}],"languages":[{"langCode":"en","englishName":null,"nativeName":null,"isDefault":true}]},"rendered":"","isCustom":false,"isDefault":true,"created":"2024-04-15T01:21:30.515+00:00","updated":"2024-04-15T01:21:30.515+00:00"},{"id":"0a60d7ad-33ec-420c-9a4c-4986aa637dff","category":"Dialogs","name":"Kill blocked application","type":"KillApp","parameters":{"elements":[{"@type":"UIElement","name":"DialogTitle","type":"Text","isHidable":false,"isDisplay":true,"content":{"en":"Kill blocked application"}},{"@type":"UIElement","name":"imgLogo","type":"Img","isHidable":true,"isDisplay":false,"content":{"en":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAfSURBVGhD7cEBAQAAAIIg/69uSEAAAAAAAAAAAMCJGiQwAAHA29C/AAAAAElFTkSuQmCC"}},{"@type":"UIElement","name":"lblCaption","type":"HTML","isHidable":true,"isDisplay":true,"content":{"en":"Kill blocked application"}},{"@type":"UIElement","name":"lblMessage","type":"HTML","isHidable":false,"isDisplay":true,"content":{"en":"The following applications interfere with this action.
\n Please save your work and stop these applications or press \"Stop Now (or another customized name)\" to automatically stop them."}},{"@type":"UIElement","name":"btnStopNow","type":"HTML","isHidable":false,"isDisplay":true,"content":{"en":"Stop Now"}},{"@type":"UIElement","name":"DialogTimeout","type":"Numeric","isHidable":false,"isDisplay":true,"content":{"en":"30"}}],"variables":[{"name":"USER","isCommon":true},{"name":"COMPUTERNAME","isCommon":true},{"name":"USERNAME","isCommon":true},{"name":"USERDOMAIN","isCommon":true},{"name":"USER_DISPLAYNAME","isCommon":true},{"name":"AGENT_VERSION","isCommon":true},{"name":"AGENT_PRODUCTNAME","isCommon":true},{"name":"AGENT_LAST_POLICY_UPDATE","isCommon":true},{"name":"AGENT_COMPANYNAME","isCommon":true},{"name":"AGENT_COPYRIGHT","isCommon":true}],"languages":[{"langCode":"en","englishName":null,"nativeName":null,"isDefault":true}]},"rendered":"","isCustom":false,"isDefault":true,"created":"2024-04-15T01:21:30.52+00:00","updated":"2024-04-15T01:21:30.52+00:00"}]}