Process Mitigation Policies

Microsoft provides a Windows API SetProcessMitigationPolicy to strengthen the process memory by blocking all DLLs which are not signed by Microsoft. EDRs load their own DLLs in every process that get created, and some EDRs/AV/reverse engineering tools do not have their DLLs signed by Microsoft. So, by enabled the Mitigation policy, we can block non-microsoft signed DLLs from loading into our target process.

You can use the dll_block command to block any third party non-microsoft signed DLLs from loading into a remote process during injection.

Once this command is enabled, every new process that you create, be it for reflective injections, or normal processes; both will have their mitigation policies enabled. If you want to disable this command, use the dll_unblock command.