diff --git a/docs/policypak/components/leastprivilegemanager/manual/windows/automatic.md b/docs/policypak/components/leastprivilegemanager/manual/windows/automatic.md
index 007eeb3144..40df56ceda 100644
--- a/docs/policypak/components/leastprivilegemanager/manual/windows/automatic.md
+++ b/docs/policypak/components/leastprivilegemanager/manual/windows/automatic.md
@@ -15,7 +15,7 @@ representative machines.
:::note
See the
-[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md)
+[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md)
video for a demo of PolicyPak Automatic Rules Generator Tool in action.
:::
diff --git a/docs/policypak/components/leastprivilegemanager/manual/windows/overviewmisc/scopefilters/enhancedsecurerun.md b/docs/policypak/components/leastprivilegemanager/manual/windows/overviewmisc/scopefilters/enhancedsecurerun.md
index a0e762481c..028416e321 100644
--- a/docs/policypak/components/leastprivilegemanager/manual/windows/overviewmisc/scopefilters/enhancedsecurerun.md
+++ b/docs/policypak/components/leastprivilegemanager/manual/windows/overviewmisc/scopefilters/enhancedsecurerun.md
@@ -8,7 +8,7 @@ sidebar_position: 10
:::note
For an overview of this scenario, see the
-[SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md)
+[SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md)
video demo.
:::
diff --git a/docs/policypak/components/leastprivilegemanager/manual/windows/securerun/overview.md b/docs/policypak/components/leastprivilegemanager/manual/windows/securerun/overview.md
index a8a7b6b3cd..047d64f543 100644
--- a/docs/policypak/components/leastprivilegemanager/manual/windows/securerun/overview.md
+++ b/docs/policypak/components/leastprivilegemanager/manual/windows/securerun/overview.md
@@ -9,7 +9,7 @@ sidebar_position: 20
:::note
For an overview of how to block threats and unknown software like malware and similar
applicates, see the
-[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md)
+[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md)
video.
:::
@@ -121,7 +121,7 @@ downloads and tries to run but continues to let properly installed applications
:::note
An additional way to use PolicyPak SecureRum™ is to also trap for anything
that is unsigned. See the
-[Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventunsigned.md)
+[Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/preventunsigned.md)
video for a demonstration.
:::
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/eventing/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/eventing/_category_.json
index 09ffb21009..d807a83ffd 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/eventing/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/technotes/eventing/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Eventing",
- "position": 100,
+ "position": 90,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/implementationguide.md b/docs/policypak/components/leastprivilegemanager/technotes/implementationguide.md
index 4d8b23a47a..1a9d214abb 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/implementationguide.md
+++ b/docs/policypak/components/leastprivilegemanager/technotes/implementationguide.md
@@ -351,7 +351,7 @@ Then you can investigate those Event IDs that come in and create Allow and Log a
more about how PolicyPak Least Privilege Manager SecureRun helps you keep ransomware
and unknown applications at bay, but open up specific applications as needed with Allow and Log
actions, please see
-[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md)
+[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md)
For general tips on how to use SecureRun™ please see
[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/allowinlinecommands.md)
@@ -391,7 +391,7 @@ Estimated Milestone Details and Target Dates
| M15 Addition | Add +5 endpoints PolicyPak Active Directory OU and remove their local admin rights. | Day 21 |
| M16 Review Events | Look at EVENTS to determine the issues to make more rules. | Day 22 |
| M17 Remaining | Add Remaining endpoints to PolicyPak Active Directory OU and remove their local admin rights. | Day 23 |
-| M18 SecureRun (Optional) | • Turn on Global Auditing for Untrusted and Unsigned applications. • Try turning on SecureRun for three developers.
[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md)
[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/allowinlinecommands.md)
| Day 24 |
+| M18 SecureRun (Optional) | • Turn on Global Auditing for Untrusted and Unsigned applications. • Try turning on SecureRun for three developers.
[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md)
[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/allowinlinecommands.md)
| Day 24 |
| M19 SecureRun Rollout (Optional) | Add +5 endpoints per day and triage incoming SecureRun blocks with “Allow and Log” rules. Repeat each day with +5 endpoints. | Day 25+ |
@@ -417,7 +417,7 @@ Estimated Milestone Details and Target Dates
| M14 Addition | Add +5 endpoints to PolicyPak Cloud and remove their local admin rights. | Day 19 |
| M15 Review Events | Look at EVENTS to determine the issues to make more rules. | Day 20 |
| M16 Remaining | Add Remaining endpoints to PolicyPak Cloud and remove their local admin rights. | Day 21 |
-| M17 SecureRun Setup |
Turn on Global Auditing for Untrusted and Unsigned applications.
Try turning on SecureRun for three developers.
[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md)
[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/allowinlinecommands.md)
| Day 22 |
+| M17 SecureRun Setup |
Turn on Global Auditing for Untrusted and Unsigned applications.
Try turning on SecureRun for three developers.
[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md)
[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/allowinlinecommands.md)
| Day 22 |
| M18+ SecureRun Rollout | Add +5 endpoints per day and triage incoming SecureRun blocks with “Allow and Log” rules. Repeat each day with +5 endpoints. | Day 23+ |
@@ -444,5 +444,5 @@ Estimated Milestone Details and Target Dates
| M15 Addition | Add +5 endpoints to PolicyPak group and remove their local admin rights. | Day 21 |
| M16 Review Events | Look at EVENTS to determine the issues to make more rules. | Day 22 |
| M17 Remaining | Add Remaining endpoints to PolicyPak group and remove their local admin rights. | Day 23 |
-| M18 SecureRun Setup |
Turn on Global Auditing for Untrusted and Unsigned applications.
Try turning on SecureRun for three developers.
[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md)
[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/allowinlinecommands.md)
| Day 24 |
+| M18 SecureRun Setup |
Turn on Global Auditing for Untrusted and Unsigned applications.
Try turning on SecureRun for three developers.
[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md)
[How can I allow "Inline commands" blocked by SecureRun when a random path or filename is created each time?](/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/allowinlinecommands.md)
| Day 24 |
| M19 SecureRun Rollout | Add +5 endpoints per day and triage incoming SecureRun blocks with “Allow and Log” rules. Repeat each day with +5 endpoints. | Day 25+ |
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/macintegration/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/macintegration/_category_.json
index 0cf9d2118e..d72012e5ff 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/macintegration/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/technotes/macintegration/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Mac Integration",
- "position": 80,
+ "position": 100,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipsappsscenarios/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/tipsappsscenarios/_category_.json
index d3a625f513..c12ccb039f 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/tipsappsscenarios/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipsappsscenarios/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Tips (Specific Workaround For Apps And Scenarios)",
- "position": 30,
+ "position": 40,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/_category_.json
new file mode 100644
index 0000000000..0057b317ae
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/_category_.json
@@ -0,0 +1,6 @@
+{
+ "label": "Tips And DLL-Hijack Prevention",
+ "position": 60,
+ "collapsed": true,
+ "collapsible": true
+}
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/overview.md b/docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/overview.md
new file mode 100644
index 0000000000..026d272391
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/overview.md
@@ -0,0 +1,180 @@
+---
+title: "DLL Hijack Protection"
+description: "How DLL Hijack Protection detects and blocks DLL hijacking attacks in Endpoint Privilege Manager."
+sidebar_position: 10
+---
+
+# DLL Hijack Protection
+
+DLL Hijack Protection helps prevent attackers from exploiting how Windows loads dynamic link libraries (DLLs).
+Some applications load DLLs by name instead of full path. Windows then searches multiple locations — starting with the application's own folder. If that folder is writable by a standard user, a malicious DLL can be dropped in and executed by the application.
+DLL Hijack Protection detects and blocks these scenarios by inspecting DLL loads before they execute.
+
+## Enable DLL Hijack Protection
+
+1. Navigate to **Group Policy Management Editor > Computer Configuration > Netwrix Endpoint Policy Manager > Endpoint Privilege Security Pak > Endpoint Privilege Manager**.
+2. Right-click a collection and select **Add > New Global DLL Hijack Protection Policy** (or **New DLL Hijack Protection Exclusions Policy**).
+3. In the policy properties, select a **Mode** (see mode descriptions below) and add the appropriate identities to **Approved Members**.
+
+
+
+## How DLL Load Decisions Are Made
+
+DLL Hijack Protection makes a decision based on three things:
+
+1. **Does the policy apply to this process?**
+2. **Is the DLL load considered risky?**
+3. **Is there an exclusion that overrides the behavior?**
+
+Blocking occurs when the first two conditions are met and no exclusion applies.
+
+## When the Policy Applies
+
+This depends on the selected mode:
+
+### Safe Elevated Mode
+
+Applies **only to elevated processes** (running as administrator or SYSTEM).
+
+### Anti-Hijack Mode
+
+Applies to:
+
+- **Elevated processes**
+- **Standard processes running from trusted locations** (e.g., Program Files)
+
+## What Makes a DLL Load Risky
+
+A DLL load is considered unsafe when the DLL can be modified by a non-approved user — that is, a user not in the Approved Members list (described in the next section).
+
+In practice, this means the DLL is located in a user-writable location. If this condition is met, the load is treated as suspicious and can be blocked.
+
+## Approved Members
+
+The **Approved Members** list defines who is trusted to modify application files.
+
+:::note
+If a DLL can be modified by a user, and that user is **not** in the Approved Members list, the DLL load is blocked.
+:::
+
+### Purpose
+
+Some identities are expected to modify files as part of normal operations:
+
+- Administrators
+- SYSTEM
+- Trusted Installer
+
+In production environments, you may also have:
+
+- Software deployment tools
+- Packaging accounts
+- IT groups
+
+The Approved Members list lets you explicitly trust those identities.
+
+### Default Behavior
+
+| DLL writable by | Result |
+|---|---|
+| Only trusted/approved identities | Allowed |
+| Any non-approved user | Blocked |
+
+The Approved Members list directly controls what the system considers safe write access.
+
+## Exclusions
+
+If a matching exclusion exists, the action is allowed — even if it would otherwise be blocked.
+
+Exclusions can be based on:
+
+- File path
+- File hash
+- Digital signature
+
+### Use Cases
+
+- Legacy apps doing non-standard DLL loading
+- Known safe behavior that doesn't conform to standard patterns
+- Temporary exceptions during rollout
+
+## Actions
+
+### Deny Execution
+
+Blocks the DLL load. Options:
+
+- Default message (recommended)
+- Custom message
+- Silent (no user notification)
+
+### Allow and Log
+
+Allows the behavior and logs the event. Primarily used during testing or phased rollout.
+
+## Audit Mode
+
+Logs potential blocks without enforcing them. Use Audit Mode during initial rollout to assess impact before switching to an enforcement mode.
+
+## Logging Options
+
+| Option | Description |
+|---|---|
+| Blocked & Allowed | Full visibility (recommended) |
+| Do not generate events | No logging |
+
+## How It Works
+
+When a DLL is about to load:
+
+1. Check if the **policy applies** (based on mode and process type).
+2. Check if the DLL is **modifiable by a non-approved user**.
+3. Check for any **matching exclusion**.
+4. Final decision:
+ - If risky and no exclusion → **Blocked**
+ - Otherwise → **Allowed** (and optionally logged)
+
+## Practical Examples
+
+### Example 1: Elevated app, unsafe DLL
+
+- App runs elevated.
+- DLL is in a user-writable folder.
+- Folder is writable by standard users (not in Approved Members).
+
+Result: **Blocked**
+
+### Example 2: Elevated app, IT-controlled folder
+
+- DLL folder is writable only by the IT deployment group.
+- Group is in Approved Members.
+
+Result: **Allowed**
+
+### Example 3: Standard app from Program Files (Anti-Hijack Mode)
+
+- App is launched from a trusted location.
+- DLL is user-writable by non-approved users.
+
+Result: **Blocked**
+
+### Example 4: Exclusion in place
+
+- Same conditions as Example 3, but the DLL or EXE matches an exclusion.
+
+Result: **Allowed**
+
+## Best Practices
+
+- Start with **Audit Mode** (which logs potential blocks without enforcing them).
+- Move to **Safe Elevated Mode** first (low risk, high value).
+- Then enable **Anti-Hijack Mode** for broader protection.
+- Carefully define **Approved Members**.
+- Use exclusions sparingly — don't rely on them as a long-term fix.
+- Keep logging enabled during rollout.
+
+## Known Considerations
+
+- DLL Hijack Protection behavior depends on file permissions. Unexpected access control lists (ACLs) can cause blocks.
+- Some legacy apps may require exclusions.
+- If Endpoint Privilege Manager has not yet applied an elevation policy to a process, DLL Hijack Protection may treat that process as non-elevated. If you see unexpected blocks on elevated processes, confirm that the elevation policy for that application has been applied before DLL Hijack Protection evaluates it.
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipsfilesfolders/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/tipsfilesfolders/_category_.json
index 72b9d9b367..2fb258fd3f 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/tipsfilesfolders/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipsfilesfolders/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Tips (Files Folders And Dialogs)",
- "position": 40,
+ "position": 70,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/_category_.json
index c329b7028f..b05fee113c 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Tips For Admin Approval Self Elevate Apply On Demand SecureCopy And UI Branding",
- "position": 60,
+ "position": 80,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/scope.md b/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/scope.md
index ea4a364da9..6490a6d4a5 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/scope.md
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/scope.md
@@ -72,7 +72,7 @@ its work as LOCAL SYSTEM and tries to run an un-trusted file. Therefore, when th
list, the attack attempt will fail.
For a video demo of this scenario,
-see [SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md)
+see [SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md)
## Scenario 2: Specific rule to block an app from being run, even as local System.
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipsold/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/tipsold/_category_.json
index f32472cb33..a46d93c731 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/tipsold/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipsold/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Tips (Old Use Only If Asked)",
- "position": 70,
+ "position": 120,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/bestpractices.md b/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/bestpractices.md
index 54b9d36d0f..79b23a302d 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/bestpractices.md
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/bestpractices.md
@@ -36,7 +36,7 @@ to run through SecureRun. It will create the required allow and elevate policies
create policies to block applications that would otherwise be automatically allowed.
For more information on using the Auto-Rules Generator Tool, see
-[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md)
+[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md)
## Post-installation Options
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/setup.md b/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/setup.md
index 0fc1786e87..f545e9f2e0 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/setup.md
+++ b/docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/setup.md
@@ -10,12 +10,9 @@ sidebar_position: 20
#### Getting Started
-Watch this quick video for tips on setting up Secure Run:
-[Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/stopransomware.md).
-
-In addition we have a tool called Auto Rules Generator for generating rules from a machine that has
-all your apps. It is in the Extras folder of the main Netwrix PolicyPak download. For more information on this issue, please see
-[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md).
+To get started, use the Auto Rules Generator tool to generate rules from a machine that has
+all your installed applications. The tool is in the Extras folder of the Netwrix PolicyPak download, available from the Netwrix customer portal. For more information, see
+[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md).
#### How do we setup SecureRun when each version of the software references more than one .exe to start the program?
diff --git a/docs/policypak/components/leastprivilegemanager/technotes/troubleshooting/_category_.json b/docs/policypak/components/leastprivilegemanager/technotes/troubleshooting/_category_.json
index 99f1609c37..95209b5d2a 100644
--- a/docs/policypak/components/leastprivilegemanager/technotes/troubleshooting/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/technotes/troubleshooting/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Troubleshooting",
- "position": 90,
+ "position": 30,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/acltraverse/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/acltraverse/_category_.json
index ff69a244df..ecb7a92079 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/acltraverse/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/acltraverse/_category_.json
@@ -1,6 +1,6 @@
{
"label": "ACL Traverse NTFS And Registry",
- "position": 50,
+ "position": 60,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/adminapproval/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/adminapproval/_category_.json
index b8c691c509..f6464f702c 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/adminapproval/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/adminapproval/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Admin Approval Self Elevate Apply On Demand SecureCopy(TM) And UI Branding",
- "position": 60,
+ "position": 70,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/_category_.json
index 94d947f7f0..a27b20a040 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Best Practices",
- "position": 40,
+ "position": 30,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/businesssolutions/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/businesssolutions/_category_.json
index fdefac02f9..4d8efbbf16 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/businesssolutions/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/businesssolutions/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Business Solutions",
- "position": 90,
+ "position": 110,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/_category_.json
new file mode 100644
index 0000000000..396e44de7b
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/_category_.json
@@ -0,0 +1,6 @@
+{
+ "label": "Dll-Hijack Prevention",
+ "position": 50,
+ "collapsed": true,
+ "collapsible": true
+}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/basics.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/basics.md
new file mode 100644
index 0000000000..128eeeb94d
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/basics.md
@@ -0,0 +1,25 @@
+---
+title: "DLL Hijack Protection Basics: Get to know the system with a simple example"
+description: "DLL Hijack Protection Basics: Get to know the system with a simple example"
+sidebar_position: 10
+---
+
+# DLL Hijack Protection Basics: Get to know the system with a simple example
+
+This video demonstrates running a DLL directly with rundll32.exe from an untrusted location.
+
+Command:
+
+```
+rundll32.exe c:\temp\DLL-Notsigned.dll,EntryPointW
+```
+
+This is high-risk behavior: a DLL in a user-writable path is executed directly.
+DLL Hijack Protection flags and blocks it.
+
+When the blocked DLL is legitimate, the video demonstrates two ways to authorize the load:
+
+- **Option 1:** Authorize the identity (allow a specific user or group to perform this action)
+- **Option 2:** Authorize the DLL itself using a matching rule (path, hash, or publisher)
+
+
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/installers.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/installers.md
new file mode 100644
index 0000000000..2825919266
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/installers.md
@@ -0,0 +1,18 @@
+---
+title: "DLL Hijack Protection Scenario 3: Protecting Installers"
+description: "DLL Hijack Protection Scenario 3: Protecting Installers"
+sidebar_position: 30
+---
+
+# DLL Hijack Protection Scenario 3: Protecting Installers
+
+A user downloads an app (like VLC) from the internet and tries to run it by providing administrator credentials at a UAC prompt.
+
+Even if the user supplies valid administrator credentials, DLL Hijack Protection intervenes. In Safe Elevated Mode, the installer is blocked because it originates from an untrusted location.
+
+This video demonstrates two ways to authorize the installation:
+
+- **Option 1:** Create a rule to allow the application
+- **Option 2:** Authorize a specific user (e.g., DOMAIN\User) to perform installations from that location — when they elevate with UAC, the install proceeds
+
+
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/poorlydesignedapps.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/poorlydesignedapps.md
new file mode 100644
index 0000000000..9b6fc4cc74
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/poorlydesignedapps.md
@@ -0,0 +1,17 @@
+---
+title: "DLL Hijack Protection Demo 2: Poorly Designed Apps Protection"
+description: "DLL Hijack Protection Demo 2: Poorly Designed Apps Protection"
+sidebar_position: 20
+---
+
+# DLL Hijack Protection Demo 2: Poorly Designed Apps Protection
+
+A poorly designed application loads a DLL by name instead of using a full path — a common DLL hijacking vulnerability.
+
+In this demo:
+
+- The app runs and successfully loads a malicious Evil.dll, demonstrating the hijack works.
+- DLL Hijack Protection is enabled — the attack is blocked and logged.
+- To handle a false positive, create a DLL Hijack Protection rule to allow the approved DLL.
+
+
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/popups.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/popups.md
new file mode 100644
index 0000000000..ac49eb0d37
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/popups.md
@@ -0,0 +1,13 @@
+---
+title: "DLL Hijack Protection: Handling false positive block prompts after enabling the feature"
+description: "DLL Hijack Protection: Handling false positive block prompts after enabling the feature"
+sidebar_position: 40
+---
+
+# DLL Hijack Protection: Handling false positive block prompts after enabling the feature
+
+After enabling DLL Hijack Protection, apps like OneDrive may start generating block prompts. The software is legitimate, but its DLL loading behavior triggers the protection.
+
+The demo takes a real blocked event, converts it into a Publisher-based Allow rule, and eliminates the false positive prompts while maintaining protection.
+
+
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/eventing/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/eventing/_category_.json
index 3cd1d616d3..852ae1eb1c 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/eventing/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/eventing/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Eventing",
- "position": 80,
+ "position": 90,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/helperstoolsandtips/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/helperstoolsandtips/_category_.json
index 69f9d3176f..73a8175c7f 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/helperstoolsandtips/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/helperstoolsandtips/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Helpers Tools And Tips And Tricks",
- "position": 70,
+ "position": 80,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/stopransomware.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/stopransomware.md
deleted file mode 100644
index faaae87b9c..0000000000
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/stopransomware.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: "Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM)"
-description: "Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM)"
-sidebar_position: 80
----
-# Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM)
-
-Quick question: Do you want to pay the bad guys and/or clean up for three weeks, or click ONE button
-and say goodbye to all unknown Ransomware threats. Using a "Deny" list is impossible. There are
-thousands of new evil applications created per day. "Allow" listing is no cakewalk either. You have
-to constantly stay on top of everything you deploy and install. There's a BETTER way, a THIRD way,
-using Netwrix PolicyPak SecureRun. With SecureRun, you're only
-letting applications run if they were "properly installed" or otherwise sanctioned by you. Check out
-this video, and block all unknown Malware and zero day threats.
-
-
-
-
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/macintegration/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/macintegration/_category_.json
index 419ba4e88e..89a306c9c1 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/macintegration/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/macintegration/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Mac Integration",
- "position": 110,
+ "position": 100,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/methods/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/methods/_category_.json
index 4283b8cf5a..5ad297184c 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/methods/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/methods/_category_.json
@@ -1,6 +1,6 @@
{
"label": "Methods Cloud MDM SCCM PDQ",
- "position": 30,
+ "position": 120,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/netwrixprivilegesecure/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/netwrixprivilegesecure/_category_.json
index 4b5bac5db4..0f5b6a9d52 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/netwrixprivilegesecure/_category_.json
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/netwrixprivilegesecure/_category_.json
@@ -1,6 +1,6 @@
{
- "label": "Netwrix Privilege Secure For Access Management Integration",
- "position": 100,
+ "label": "PP Least Priv + Netwrix NPS",
+ "position": 130,
"collapsed": true,
"collapsible": true
}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/_category_.json b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/_category_.json
new file mode 100644
index 0000000000..5cea2c3c51
--- /dev/null
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/_category_.json
@@ -0,0 +1,6 @@
+{
+ "label": "SecureRun",
+ "position": 40,
+ "collapsed": true,
+ "collapsible": true
+}
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md
similarity index 99%
rename from docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md
rename to docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md
index fac5404345..f8477d3fb2 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md
@@ -1,7 +1,7 @@
---
title: "Auto Rules Generator Tool (with SecureRun)"
description: "Auto Rules Generator Tool (with SecureRun)"
-sidebar_position: 50
+sidebar_position: 30
---
# Auto Rules Generator Tool (with SecureRun)
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md
similarity index 99%
rename from docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md
rename to docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md
index 467d0765cb..cf01f8d608 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md
@@ -1,7 +1,7 @@
---
title: "Using Least Privilege Manager's SecureRun Feature"
description: "Using Least Privilege Manager's SecureRun Feature"
-sidebar_position: 7
+sidebar_position: 5
---
# Using Least Privilege Manager's SecureRun Feature
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventunsigned.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/preventunsigned.md
similarity index 99%
rename from docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventunsigned.md
rename to docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/preventunsigned.md
index 812c258f71..ccc3f8811e 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventunsigned.md
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/preventunsigned.md
@@ -1,7 +1,7 @@
---
title: "Least Privilege Manager: Block All Unsigned with SecureRun"
description: "Least Privilege Manager: Block All Unsigned with SecureRun"
-sidebar_position: 90
+sidebar_position: 20
---
# Least Privilege Manager: Block All Unsigned with SecureRun
@@ -46,5 +46,3 @@ that run through anyway, but this version is also going to just be blocked. Okay
you've got your bases covered. Nice new feature helping make your world even more secure than it was
before that. Hope this helps you out. Looking forward to getting you started with PolicyPak real
soon.
-
-
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md
similarity index 99%
rename from docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md
rename to docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md
index 2218490a13..190e3fb63c 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md
@@ -1,7 +1,7 @@
---
title: "SecureRun to block User AND System executables"
description: "SecureRun to block User AND System executables"
-sidebar_position: 90
+sidebar_position: 40
---
# SecureRun to block User AND System executables
diff --git a/docs/policypak/components/leastprivilegemanager/videolearningcenter/videolearningcenter.md b/docs/policypak/components/leastprivilegemanager/videolearningcenter/videolearningcenter.md
index 5a67bbd188..5b705620c2 100644
--- a/docs/policypak/components/leastprivilegemanager/videolearningcenter/videolearningcenter.md
+++ b/docs/policypak/components/leastprivilegemanager/videolearningcenter/videolearningcenter.md
@@ -14,9 +14,9 @@ See the following Video topics for more information on Least Privilege Manager.
- [Use Group Policy to remove local admin rights (then PolicyPak to enable Least Privilege)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/removelocaladmin.md)
- [Link to Computer, Filter by User](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/userfilter.md)
- [Installing applications-and-Preconfigured-Rules](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/installapplications.md)
-- [Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md)
+- [Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md)
- [PolicyPak Application Control with PP Least Privilege Manager](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/applicationcontrol.md)
-- [Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md)
+- [Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md)
- [COM Support](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/comsupport.md)
- [Overcome UAC prompts for Active X controls](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/uacpromptsactivex.md)
@@ -28,8 +28,7 @@ See the following Video topics for more information on Least Privilege Manager.
- [More security with Combo Rules](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/securitycomborules.md)
- [Least Privilege Manager: Deny Messages](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/denymessages.md)
- [Prevent Edge from Launching](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventedge.md)
-- [Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/stopransomware.md)
-- [Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventunsigned.md)
+- [Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/preventunsigned.md)
- [Least Privilege Manager: Use Item Level Targeting to hone in when rules apply.](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/itemleveltargeting.md)
## Methods: Cloud, MDM, SCCM, PDQ
@@ -49,7 +48,7 @@ See the following Video topics for more information on Least Privilege Manager.
- [Least Privilege Manager and Wildcards](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/wildcards.md)
- [Reduce or specify Service Account Rights](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/serviceaccountrights.md)
- [Block PowerShell in General, Open up for specific items](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/powershellblock.md)
-- [SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md)
+- [SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md)
- [Elevate apps as standard user, BLOCK other Admins](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/appblock.md)
- [PolicyPak Least Priv Manager: Self Elevate Mode](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/selfelevatemode.md)
diff --git a/docs/policypak/components/scriptstriggers/knowledgebase/troubleshooting/systemprocesses.md b/docs/policypak/components/scriptstriggers/knowledgebase/troubleshooting/systemprocesses.md
index b416ca5f7b..bc2c9e9ac1 100644
--- a/docs/policypak/components/scriptstriggers/knowledgebase/troubleshooting/systemprocesses.md
+++ b/docs/policypak/components/scriptstriggers/knowledgebase/troubleshooting/systemprocesses.md
@@ -7,7 +7,7 @@ sidebar_position: 70
# Why don't Batch and PowerShell scripts get blocked when SYSTEM processes are blocked
When implementing SecureRun to block both User and System processes (as demonstrated in
-[SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md)
+[SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md)
video) we find that EXEs, MSIs and VB scripts get smacked down as expected when running as the USER,
ADMIN or SYSTEM account. However, Batch and PowerShell scripts that are started from within a
previously opened cmd.exe or powershell.exe window do not get blocked when running as a system
diff --git a/docs/policypak/gettingstarted/misc/knowledgebase/gettingstarted/history.md b/docs/policypak/gettingstarted/misc/knowledgebase/gettingstarted/history.md
index 8c25c48077..e4b1831397 100644
--- a/docs/policypak/gettingstarted/misc/knowledgebase/gettingstarted/history.md
+++ b/docs/policypak/gettingstarted/misc/knowledgebase/gettingstarted/history.md
@@ -62,7 +62,7 @@ Before 2017
- New Component — Remote Work Delivery Manager: Deliver software to Windows 10 via SMB share, Amazon
S3 or other cloud services
- Least Privlege Manager: Automatically block unsigned Applications
- [Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventunsigned.md)
+ [Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/preventunsigned.md)
- Compliance Reporter now 10x faster
2021
diff --git a/static/images/policypak/leastprivilege/dllhijack/dllhijack-gpo-policy-types.webp b/static/images/policypak/leastprivilege/dllhijack/dllhijack-gpo-policy-types.webp
new file mode 100644
index 0000000000..e56a5bcf8a
Binary files /dev/null and b/static/images/policypak/leastprivilege/dllhijack/dllhijack-gpo-policy-types.webp differ