Block Regsvr32 in Windows Firewall
Log In or Register to download the BES file, and more.

0 Votes

Description

This task enforces a winodws firewall filter to disable Regsvr32 from connecting to remote locations.

Note: The task is released in https://bigfix.me/, which is not an official release channel of IBM BigFix. We highly suggest testing the content before deploying to production. Use of the content is done at the user's own risk and the user will be solely responsible for any damage to any computer system or loss of data that results from use of the content.

Warning: This fixlet will enable the windows firewall and add necessary rule to block outbound connection for Regsvr32.exe

Property Details

ID20257
StatusProduction - Fully Tested and Ready for Production
TitleBlock Regsvr32 in Windows Firewall
CategoryUnspecified
Source IDUnspecified
Source SeverityUnspecified
Source Release Date4/27/2016 7:54:05 AM
CVENamesUnspecified
KeywordsAppLocker Regsvr32
Is TaskTrue
Added by on 4/27/2016 7:54:05 AM
Last Modified by on 4/27/2016 8:11:54 AM
Counters 6264 Views / 5 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 257 fixlets and 9 analyses   * Results in a true/false
Show indented relevance
name of operating system as lowercase starts with "win"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
not exists values whose(it as string as lowercase contains "block regsvr32") of keys "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" of native registry

Actions

Action 1

Action Link Click here to block Regsvr32.exe in firewall
Script Type BigFix Action Script 
// Enable Firewall
waithidden NetSh Advfirewall set allprofiles state on

//Disable Regsvr32 & Regsvr
waithidden netsh advfirewall firewall add rule name="Block Regsvr32" dir=out action=block program="{pathname of file "regsvr32.exe" of system folder}" enable=yes profile=any

// Disable Regsvr32 if x64 OS
if {x64 of operating system}

waithidden netsh advfirewall firewall add rule name="Block Regsvr32 in SysWOW64" dir=out action=block program="{pathname of file "regsvr32.exe" of system wow64 folder}" enable=yes profile=any

endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to view the blog about the exploit
Script Type URL 
http://subt0x10.blogspot.sg/2016/04/bypass-application-whitelisting-script.html

Sharing

Social Media:
Share this page on Yammer


Comments

Log In or Register to leave comments!
 

Content

Search
Share
Learn
Projects

Utilities

View SCM Scripts
Base64 Converter
Shell to Action Script

About

About Us
Tour
FAQ
Terms
Contact Us

BigFix Resources

Download BigFix
Support
Forum
Github/Bigfix
bigfix.me All Content
Hosted on bigfixme-as