Add DLL Hijack Prevention section and reorganize LPM Videos/KB structure

docs/policypak/components/leastprivilegemanager/manual/windows/automatic.md

@@ -15,7 +15,7 @@ representative machines.
 
 :::note
 See the
-[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md)
+[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md)
 video for a demo of PolicyPak Automatic Rules Generator Tool in action.
 :::
 

docs/policypak/components/leastprivilegemanager/manual/windows/overviewmisc/scopefilters/enhancedsecurerun.md

@@ -8,7 +8,7 @@ sidebar_position: 10
 
 :::note
 For an overview of this scenario, see the
-[SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md)
+[SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md)
 video demo.
 :::
 

docs/policypak/components/leastprivilegemanager/manual/windows/securerun/overview.md

@@ -9,7 +9,7 @@ sidebar_position: 20
 :::note
 For an overview of how to block threats and unknown software like malware and similar
 applicates, see the
-[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/feature.md)
+[Using Least Privilege Manager's SecureRun Feature](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/feature.md)
 video.
 :::
 
@@ -121,7 +121,7 @@ downloads and tries to run but continues to let properly installed applications
 :::note
 An additional way to use PolicyPak SecureRum™ is to also trap for anything
 that is unsigned. See the
-[Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/preventunsigned.md)
+[Least Privilege Manager: Block All Unsigned with SecureRun](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/preventunsigned.md)
 video for a demonstration.
 :::
 

docs/policypak/components/leastprivilegemanager/technotes/eventing/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Eventing",
-  "position": 100,
+  "position": 90,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/technotes/macintegration/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Mac Integration",
-  "position": 80,
+  "position": 100,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/technotes/tipsappsscenarios/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Tips (Specific Workaround For Apps And Scenarios)",
-  "position": 30,
+  "position": 40,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/_category_.json

@@ -0,0 +1,6 @@
+{
+  "label": "Tips And DLL-Hijack Prevention",
+  "position": 60,
+  "collapsed": true,
+  "collapsible": true
+}

docs/policypak/components/leastprivilegemanager/technotes/tipsdllhijackprevention/overview.md

@@ -0,0 +1,180 @@
+---
+title: "DLL Hijack Protection"
+description: "How DLL Hijack Protection detects and blocks DLL hijacking attacks in Endpoint Privilege Manager."
+sidebar_position: 10
+---
+
+# DLL Hijack Protection
+
+DLL Hijack Protection helps prevent attackers from exploiting how Windows loads dynamic link libraries (DLLs).
+Some applications load DLLs by name instead of full path. Windows then searches multiple locations — starting with the application's own folder. If that folder is writable by a standard user, a malicious DLL can be dropped in and executed by the application.
+DLL Hijack Protection detects and blocks these scenarios by inspecting DLL loads before they execute.
+
+## Enable DLL Hijack Protection
+
+1. Navigate to **Group Policy Management Editor > Computer Configuration > Netwrix Endpoint Policy Manager > Endpoint Privilege Security Pak > Endpoint Privilege Manager**.
+2. Right-click a collection and select **Add > New Global DLL Hijack Protection Policy** (or **New DLL Hijack Protection Exclusions Policy**).
+3. In the policy properties, select a **Mode** (see mode descriptions below) and add the appropriate identities to **Approved Members**.
+
+![DLL Hijack Protection policy types in the Group Policy Management Editor](/images/policypak/leastprivilege/dllhijack/dllhijack-gpo-policy-types.webp)
+
+## How DLL Load Decisions Are Made
+
+DLL Hijack Protection makes a decision based on three things:
+
+1. **Does the policy apply to this process?**
+2. **Is the DLL load considered risky?**
+3. **Is there an exclusion that overrides the behavior?**
+
+Blocking occurs when the first two conditions are met and no exclusion applies.
+
+## When the Policy Applies
+
+This depends on the selected mode:
+
+### Safe Elevated Mode
+
+Applies **only to elevated processes** (running as administrator or SYSTEM).
+
+### Anti-Hijack Mode
+
+Applies to:
+
+- **Elevated processes**
+- **Standard processes running from trusted locations** (e.g., Program Files)
+
+## What Makes a DLL Load Risky
+
+A DLL load is considered unsafe when the DLL can be modified by a non-approved user — that is, a user not in the Approved Members list (described in the next section).
+
+In practice, this means the DLL is located in a user-writable location. If this condition is met, the load is treated as suspicious and can be blocked.
+
+## Approved Members
+
+The **Approved Members** list defines who is trusted to modify application files.
+
+:::note
+If a DLL can be modified by a user, and that user is **not** in the Approved Members list, the DLL load is blocked.
+:::
+
+### Purpose
+
+Some identities are expected to modify files as part of normal operations:
+
+- Administrators
+- SYSTEM
+- Trusted Installer
+
+In production environments, you may also have:
+
+- Software deployment tools
+- Packaging accounts
+- IT groups
+
+The Approved Members list lets you explicitly trust those identities.
+
+### Default Behavior
+
+| DLL writable by | Result |
+|---|---|
+| Only trusted/approved identities | Allowed |
+| Any non-approved user | Blocked |
+
+The Approved Members list directly controls what the system considers safe write access.
+
+## Exclusions
+
+If a matching exclusion exists, the action is allowed — even if it would otherwise be blocked.
+
+Exclusions can be based on:
+
+- File path
+- File hash
+- Digital signature
+
+### Use Cases
+
+- Legacy apps doing non-standard DLL loading
+- Known safe behavior that doesn't conform to standard patterns
+- Temporary exceptions during rollout
+
+## Actions
+
+### Deny Execution
+
+Blocks the DLL load. Options:
+
+- Default message (recommended)
+- Custom message
+- Silent (no user notification)
+
+### Allow and Log
+
+Allows the behavior and logs the event. Primarily used during testing or phased rollout.
+
+## Audit Mode
+
+Logs potential blocks without enforcing them. Use Audit Mode during initial rollout to assess impact before switching to an enforcement mode.
+
+## Logging Options
+
+| Option | Description |
+|---|---|
+| Blocked & Allowed | Full visibility (recommended) |
+| Do not generate events | No logging |
+
+## How It Works
+
+When a DLL is about to load:
+
+1. Check if the **policy applies** (based on mode and process type).
+2. Check if the DLL is **modifiable by a non-approved user**.
+3. Check for any **matching exclusion**.
+4. Final decision:
+   - If risky and no exclusion → **Blocked**
+   - Otherwise → **Allowed** (and optionally logged)
+
+## Practical Examples
+
+### Example 1: Elevated app, unsafe DLL
+
+- App runs elevated.
+- DLL is in a user-writable folder.
+- Folder is writable by standard users (not in Approved Members).
+
+Result: **Blocked**
+
+### Example 2: Elevated app, IT-controlled folder
+
+- DLL folder is writable only by the IT deployment group.
+- Group is in Approved Members.
+
+Result: **Allowed**
+
+### Example 3: Standard app from Program Files (Anti-Hijack Mode)
+
+- App is launched from a trusted location.
+- DLL is user-writable by non-approved users.
+
+Result: **Blocked**
+
+### Example 4: Exclusion in place
+
+- Same conditions as Example 3, but the DLL or EXE matches an exclusion.
+
+Result: **Allowed**
+
+## Best Practices
+
+- Start with **Audit Mode** (which logs potential blocks without enforcing them).
+- Move to **Safe Elevated Mode** first (low risk, high value).
+- Then enable **Anti-Hijack Mode** for broader protection.
+- Carefully define **Approved Members**.
+- Use exclusions sparingly — don't rely on them as a long-term fix.
+- Keep logging enabled during rollout.
+
+## Known Considerations
+
+- DLL Hijack Protection behavior depends on file permissions. Unexpected access control lists (ACLs) can cause blocks.
+- Some legacy apps may require exclusions.
+- If Endpoint Privilege Manager has not yet applied an elevation policy to a process, DLL Hijack Protection may treat that process as non-elevated. If you see unexpected blocks on elevated processes, confirm that the elevation policy for that application has been applied before DLL Hijack Protection evaluates it.

docs/policypak/components/leastprivilegemanager/technotes/tipsfilesfolders/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Tips (Files Folders And Dialogs)",
-  "position": 40,
+  "position": 70,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Tips For Admin Approval Self Elevate Apply On Demand SecureCopy And UI Branding",
-  "position": 60,
+  "position": 80,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/technotes/tipsforadminapproval/scope.md

@@ -72,7 +72,7 @@ its work as LOCAL SYSTEM and tries to run an un-trusted file. Therefore, when th
 list, the attack attempt will fail.
 
 For a video demo of this scenario,
-see [SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/usersystemexecutables.md)
+see [SecureRun to block User AND System executables](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/usersystemexecutables.md)
 
 ## Scenario 2: Specific rule to block an app from being run, even as local System.
 

docs/policypak/components/leastprivilegemanager/technotes/tipsold/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Tips (Old Use Only If Asked)",
-  "position": 70,
+  "position": 120,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/bestpractices.md

@@ -36,7 +36,7 @@ to run through SecureRun. It will create the required allow and elevate policies
 create policies to block applications that would otherwise be automatically allowed.
 
 For more information on using the Auto-Rules Generator Tool, see
-[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md)
+[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md)
 
 ## Post-installation Options
 

docs/policypak/components/leastprivilegemanager/technotes/tipssecurerun/setup.md

@@ -10,12 +10,9 @@ sidebar_position: 20
 
 #### Getting Started
 
-Watch this quick video for tips on setting up Secure Run:
-[Stop Ransomware and other unknown zero day attacks with PolicyPak SecureRun(TM)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/howtoandtechsupport/stopransomware.md).
-
-In addition we have a tool called Auto Rules Generator for generating rules from a machine that has
-all your apps. It is in the Extras folder of the main Netwrix PolicyPak download. For more information on this issue, please see
-[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/basicsandgettingstarted/autorulesgeneratortool.md).
+To get started, use the Auto Rules Generator tool to generate rules from a machine that has
+all your installed applications. The tool is in the Extras folder of the Netwrix PolicyPak download, available from the Netwrix customer portal. For more information, see
+[Auto Rules Generator Tool (with SecureRun)](/docs/policypak/components/leastprivilegemanager/videolearningcenter/securerun/autorulesgeneratortool.md).
 
 #### How do we setup SecureRun when each version of the software references more than one .exe to start the program?
 

docs/policypak/components/leastprivilegemanager/technotes/troubleshooting/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Troubleshooting",
-  "position": 90,
+  "position": 30,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/videolearningcenter/acltraverse/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "ACL Traverse NTFS And Registry",
-  "position": 50,
+  "position": 60,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/videolearningcenter/adminapproval/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Admin Approval Self Elevate Apply On Demand SecureCopy(TM) And UI Branding",
-  "position": 60,
+  "position": 70,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/videolearningcenter/bestpractices/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Best Practices",
-  "position": 40,
+  "position": 30,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/videolearningcenter/businesssolutions/_category_.json

@@ -1,6 +1,6 @@
 {
   "label": "Business Solutions",
-  "position": 90,
+  "position": 110,
   "collapsed": true,
   "collapsible": true
 }

docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/_category_.json

@@ -0,0 +1,6 @@
+{
+  "label": "Dll-Hijack Prevention",
+  "position": 50,
+  "collapsed": true,
+  "collapsible": true
+}

docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/basics.md

@@ -0,0 +1,25 @@
+---
+title: "DLL Hijack Protection Basics: Get to know the system with a simple example"
+description: "DLL Hijack Protection Basics: Get to know the system with a simple example"
+sidebar_position: 10
+---
+
+# DLL Hijack Protection Basics: Get to know the system with a simple example
+
+This video demonstrates running a DLL directly with rundll32.exe from an untrusted location.
+
+Command:
+
+```
+rundll32.exe c:\temp\DLL-Notsigned.dll,EntryPointW
+```
+
+This is high-risk behavior: a DLL in a user-writable path is executed directly.
+DLL Hijack Protection flags and blocks it.
+
+When the blocked DLL is legitimate, the video demonstrates two ways to authorize the load:
+
+- **Option 1:** Authorize the identity (allow a specific user or group to perform this action)
+- **Option 2:** Authorize the DLL itself using a matching rule (path, hash, or publisher)
+
+<iframe width="560" height="315" src="https://www.youtube.com/embed/CmG91OYEXs8" title="DLL Hijack Protection Basics" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>

docs/policypak/components/leastprivilegemanager/videolearningcenter/dllhijackprevention/installers.md

@@ -0,0 +1,18 @@
+---
+title: "DLL Hijack Protection Scenario 3: Protecting Installers"
+description: "DLL Hijack Protection Scenario 3: Protecting Installers"
+sidebar_position: 30
+---
+
+# DLL Hijack Protection Scenario 3: Protecting Installers
+
+A user downloads an app (like VLC) from the internet and tries to run it by providing administrator credentials at a UAC prompt.
+
+Even if the user supplies valid administrator credentials, DLL Hijack Protection intervenes. In Safe Elevated Mode, the installer is blocked because it originates from an untrusted location.
+
+This video demonstrates two ways to authorize the installation:
+
+- **Option 1:** Create a rule to allow the application
+- **Option 2:** Authorize a specific user (e.g., DOMAIN\User) to perform installations from that location — when they elevate with UAC, the install proceeds
+
+<iframe width="560" height="315" src="https://www.youtube.com/embed/e86uvN2Awqg" title="DLL Hijack Protection Scenario 3: Protecting Installers" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share; fullscreen" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>