1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Researcher uses Regsvr32 function to bypass AppLocker

Discussion in 'CSO' started by RSS, Apr 22, 2016.

  1. RSS

    RSS New Member Member

    A researcher in Colorado has discovered a feature in Regsvr32 that allows an attacker to bypass application whitelisting protections, such as those afforded by Microsoft's AppLocker. If the technique is used, there's little evidence left behind for investigators, as the process doesn't alter the system registry and in some cases comes across as normal Internet Explorer traffic.

    Casey Smith, a researcher in Colorado, needed to install a reverse shell, but the workstation in question was locked down by AppLocker and script rules. After some trial an error, he discovered an interesting solution:

    To read this article in full or to leave a comment, please click here

    Continue reading...
     

Share This Page