.. /Regsvcs.exe

Star

Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies

• https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/
• https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
• https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md

Execute

1. Loads the target .DLL file and executes the RegisterClass function.

   regsvcs.exe AllTheThingsx64.dll

   Use case

   Execute dll file and bypass Application whitelisting

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1218.009

   Tags

   Execute: DLL

   This LOLBAS executes Dynamic-Link Libraries (DLLs).

   Input: Custom Format

   This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.

AWL bypass

1. Loads the target .DLL file and executes the RegisterClass function.

   regsvcs.exe AllTheThingsx64.dll

   Use case

   Execute dll file and bypass Application whitelisting

   Privileges required

   Local Admin

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1218.009

   Tags

   Execute: DLL

   This LOLBAS executes Dynamic-Link Libraries (DLLs).

   Input: Custom Format

   This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.