Re: Does it work? Not for me.
I was criticizing the article's title. regsrv32.exe does not bypass applocker, no matter who executes it.
What it does is give us another means of executing script code, in fact, it was always there, so it is not even an exploit that was found. The only connection to applocker is, that with defaults on (which are: programs out of c:\windows and c:\progs are blocked, scripts are blocked (vbs/bat/com/ps1...) one would not expect to be able to execute script code on that system.
Now let's think: why wouldn't we expect that system not to let us execute script code? There's tons of executables in c:\windows, all might offer ways to execute "some" script code, JUST NOT scripts ending with .vbs/bat/cmd/ps1... from untrusted locations. But any other script code? Sure. regsvr32 is an example, there might be others. So surely, even if this does not really bypassing applocker, it urgently asks for review of your settings (Applocker/NTFS-ACLs) regarding regsrv32. Defaults applied? You shouldn't..
Biting the hand that feeds IT
