T1216

System Script Proxy Execution

Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.

Microsoft Sentinel / Defender

kusto

let SuspiciousProxyScripts = dynamic([
  "pubprn.vbs",
  "syncappvpublishingserver.vbs",
  "syncappvpublishingserver.exe"
]);
let ScriptletProtocols = dynamic(["script:", "scrobj.dll", "scriptlet"]);
// Branch 1: cscript/wscript executing known proxy scripts
let Branch1 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cscript.exe", "wscript.exe")
| where ProcessCommandLine has_any (SuspiciousProxyScripts)
| extend ProxyScript = case(
    ProcessCommandLine has_any ("pubprn.vbs"), "PubPrn",
    ProcessCommandLine has_any ("syncappvpublishingserver.vbs"), "SyncAppvPublishingServer.vbs",
    "Unknown"
  )
| extend ScriptletExec = ProcessCommandLine has_any (ScriptletProtocols)
| extend RemoteURL = extract(@"(https?://[^\s'""]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ProxyScript, ScriptletExec, RemoteURL
| extend DetectionBranch = "ProxyScript_Execution";
// Branch 2: SyncAppvPublishingServer.exe running with PowerShell-like args (passes args to PS pipeline)
let Branch2 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "syncappvpublishingserver.exe"
| where ProcessCommandLine has_any (
    "Start-Process", "Invoke-Expression", "IEX", "Net.WebClient",
    "DownloadString", "DownloadFile", "-enc", "-EncodedCommand",
    "Start-BitsTransfer", "cmd.exe", "powershell"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend ProxyScript = "SyncAppvPublishingServer.exe"
| extend ScriptletExec = false
| extend RemoteURL = extract(@"(https?://[^\s'""]+)", 1, ProcessCommandLine)
| extend DetectionBranch = "SyncAppv_PS_Proxy";
// Branch 3: Child processes spawned from known proxy script hosts indicating payload execution
let Branch3 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("cscript.exe", "wscript.exe")
| where InitiatingProcessCommandLine has_any (SuspiciousProxyScripts)
| where FileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe",
    "rundll32.exe", "regsvr32.exe", "certutil.exe", "msiexec.exe",
    "wmic.exe", "bitsadmin.exe", "curl.exe", "wget.exe"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend ProxyScript = "ParentProxyScript"
| extend ScriptletExec = false
| extend RemoteURL = ""
| extend DetectionBranch = "ProxyScript_ChildProcess";
union Branch1, Branch2, Branch3
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate printer publishing operations using PubPrn.vbs in enterprise printing environments — typically invoked by print administrators against a known print server, not a remote HTTP/HTTPS URL
App-V publishing infrastructure running SyncAppvPublishingServer.vbs/exe as part of scheduled application virtualization refresh — verify the server and account are expected in your App-V deployment
Security testing tools or red team exercises explicitly using LOLBAS scripts in an authorized penetration test — correlate with change management tickets
Software packaging scripts that invoke cscript.exe against Microsoft-signed VBScripts during application installation — check if the parent process is a trusted installer

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\cscript.exe" OR Image="*\\wscript.exe")
  AND (CommandLine="*pubprn.vbs*" OR CommandLine="*syncappvpublishingserver.vbs*")
)
OR
(
  Image="*\\syncappvpublishingserver.exe"
  AND (
    CommandLine="*Start-Process*" OR CommandLine="*Invoke-Expression*" OR
    CommandLine="*IEX*" OR CommandLine="*Net.WebClient*" OR
    CommandLine="*DownloadString*" OR CommandLine="*-enc*" OR
    CommandLine="*-EncodedCommand*" OR CommandLine="*cmd.exe*"
  )
)
| eval ProxyScript=case(
    match(lower(CommandLine), "pubprn\.vbs"), "PubPrn",
    match(lower(CommandLine), "syncappvpublishingserver\.vbs"), "SyncAppvPublishingServer.vbs",
    match(lower(Image), "syncappvpublishingserver\.exe"), "SyncAppvPublishingServer.exe",
    true(), "Unknown"
  )
| eval ScriptletExec=if(match(lower(CommandLine), "(script:|scrobj\.dll|scriptlet)"), 1, 0)
| eval RemoteURL=if(match(CommandLine, "https?://"), rex(CommandLine, field=CommandLine, mode=sed, "s/.*(https?://[^\s'""]+).*/\1/"), "none")
| eval SuspicionScore=0
| eval SuspicionScore=SuspicionScore + if(ScriptletExec=1, 3, 0)
| eval SuspicionScore=SuspicionScore + if(match(lower(CommandLine), "https?://"), 2, 0)
| eval SuspicionScore=SuspicionScore + if(match(lower(CommandLine), "(invoke-expression|iex|downloadstring|net\.webclient|-encodedcommand)"), 2, 0)
| eval SuspicionScore=SuspicionScore + if(NOT match(lower(ParentImage), "(explorer\.exe|services\.exe|svchost\.exe|msiexec\.exe)"), 1, 0)
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ProxyScript, ScriptletExec, RemoteURL, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate printer publishing operations using PubPrn.vbs invoked against internal print server IP addresses (not remote HTTP URLs) — verify second argument is a UNC path or IP, not a 'script:' URL
App-V publishing refresh jobs running SyncAppvPublishingServer.vbs on schedule — confirm parent is taskeng.exe or svchost.exe for the Task Scheduler service with a known task name
IT automation or MDM deployment scripts that invoke Microsoft-signed VBScripts via cscript during software packaging — parent process will typically be msiexec.exe, ccmexec.exe, or a vendor installer
Security product health checks or compliance scanners that enumerate signed scripts by executing them with benign arguments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "User",
  "SourceProcessPath" AS "Image",
  "CommandLine",
  "ParentProcessPath" AS "Parent Image",
  "ParentCommandLine",
  CASE
    WHEN LOWER("CommandLine") ILIKE '%pubprn.vbs%' THEN 'PubPrn'
    WHEN LOWER("CommandLine") ILIKE '%syncappvpublishingserver.vbs%' THEN 'SyncAppvPublishingServer.vbs'
    WHEN LOWER("SourceProcessPath") ILIKE '%syncappvpublishingserver.exe' THEN 'SyncAppvPublishingServer.exe'
    ELSE 'Unknown'
  END AS "ProxyScript",
  CASE
    WHEN LOWER("CommandLine") ILIKE '%script:%' OR LOWER("CommandLine") ILIKE '%scrobj.dll%' OR LOWER("CommandLine") ILIKE '%scriptlet%' THEN 1
    ELSE 0
  END AS "ScriptletExec"
FROM events
WHERE devicetime > NOW() - 86400000
AND (
  (
    (LOWER("SourceProcessPath") ILIKE '%cscript.exe' OR LOWER("SourceProcessPath") ILIKE '%wscript.exe')
    AND (
      LOWER("CommandLine") ILIKE '%pubprn.vbs%'
      OR LOWER("CommandLine") ILIKE '%syncappvpublishingserver.vbs%'
      OR LOWER("CommandLine") ILIKE '%script:%'
      OR LOWER("CommandLine") ILIKE '%scrobj.dll%'
      OR LOWER("CommandLine") ILIKE '%scriptlet%'
    )
  )
  OR (
    LOWER("SourceProcessPath") ILIKE '%syncappvpublishingserver.exe'
    AND (
      LOWER("CommandLine") ILIKE '%start-process%'
      OR LOWER("CommandLine") ILIKE '%invoke-expression%'
      OR LOWER("CommandLine") ILIKE '%net.webclient%'
      OR LOWER("CommandLine") ILIKE '%-encodedcommand%'
      OR LOWER("CommandLine") ILIKE '%downloadstring%'
      OR LOWER("CommandLine") ILIKE '%downloadfile%'
    )
  )
  OR (
    (LOWER("ParentProcessPath") ILIKE '%cscript.exe' OR LOWER("ParentProcessPath") ILIKE '%wscript.exe')
    AND (LOWER("ParentCommandLine") ILIKE '%pubprn.vbs%' OR LOWER("ParentCommandLine") ILIKE '%syncappvpublishingserver.vbs%')
    AND (
      LOWER("SourceProcessPath") ILIKE '%powershell.exe'
      OR LOWER("SourceProcessPath") ILIKE '%pwsh.exe'
      OR LOWER("SourceProcessPath") ILIKE '%cmd.exe'
      OR LOWER("SourceProcessPath") ILIKE '%mshta.exe'
      OR LOWER("SourceProcessPath") ILIKE '%rundll32.exe'
      OR LOWER("SourceProcessPath") ILIKE '%regsvr32.exe'
      OR LOWER("SourceProcessPath") ILIKE '%certutil.exe'
      OR LOWER("SourceProcessPath") ILIKE '%msiexec.exe'
      OR LOWER("SourceProcessPath") ILIKE '%wmic.exe'
      OR LOWER("SourceProcessPath") ILIKE '%bitsadmin.exe'
    )
  )
)
ORDER BY devicetime DESC

high severity high confidence

Data Sources

Microsoft Windows Sysmon (DSM) Microsoft Windows Security Event Log (DSM) IBM QRadar WinCollect agent

Required Tables

events (QRadar events table with Windows process creation log source)

False Positives

Enterprise App-V deployments where SyncAppvPublishingServer.exe is legitimately used during application streaming and publishing sequences from SCCM/ConfigMgr
Security assessment tooling running from authorized hosts that exercises these proxy script paths as part of endpoint detection validation
Print management suites or legacy printer deployment automation that legitimately invoke PubPrn.vbs without scriptlet URLs

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "1"
| where (
    (
      (toLowerCase(Image) endswith "\\cscript.exe" OR toLowerCase(Image) endswith "\\wscript.exe")
      AND (
        toLowerCase(CommandLine) contains "pubprn.vbs"
        OR toLowerCase(CommandLine) contains "syncappvpublishingserver.vbs"
        OR toLowerCase(CommandLine) contains "script:"
        OR toLowerCase(CommandLine) contains "scrobj.dll"
        OR toLowerCase(CommandLine) contains "scriptlet"
      )
    )
    OR (
      toLowerCase(Image) endswith "\\syncappvpublishingserver.exe"
      AND (
        toLowerCase(CommandLine) contains "start-process"
        OR toLowerCase(CommandLine) contains "invoke-expression"
        OR toLowerCase(CommandLine) contains "net.webclient"
        OR toLowerCase(CommandLine) contains "-encodedcommand"
        OR toLowerCase(CommandLine) contains "downloadstring"
        OR toLowerCase(CommandLine) contains "downloadfile"
      )
    )
    OR (
      (toLowerCase(ParentImage) endswith "\\cscript.exe" OR toLowerCase(ParentImage) endswith "\\wscript.exe")
      AND (toLowerCase(ParentCommandLine) contains "pubprn.vbs" OR toLowerCase(ParentCommandLine) contains "syncappvpublishingserver.vbs")
      AND (
        toLowerCase(Image) endswith "\\powershell.exe"
        OR toLowerCase(Image) endswith "\\pwsh.exe"
        OR toLowerCase(Image) endswith "\\cmd.exe"
        OR toLowerCase(Image) endswith "\\mshta.exe"
        OR toLowerCase(Image) endswith "\\rundll32.exe"
        OR toLowerCase(Image) endswith "\\regsvr32.exe"
        OR toLowerCase(Image) endswith "\\certutil.exe"
        OR toLowerCase(Image) endswith "\\msiexec.exe"
        OR toLowerCase(Image) endswith "\\wmic.exe"
        OR toLowerCase(Image) endswith "\\bitsadmin.exe"
      )
    )
  )
| eval ProxyScript = if (toLowerCase(CommandLine) contains "pubprn.vbs", "PubPrn",
    if (toLowerCase(CommandLine) contains "syncappvpublishingserver.vbs", "SyncAppvPublishingServer.vbs",
    if (toLowerCase(Image) endswith "\\syncappvpublishingserver.exe", "SyncAppvPublishingServer.exe",
    if (toLowerCase(ParentImage) endswith "\\cscript.exe" OR toLowerCase(ParentImage) endswith "\\wscript.exe", "ParentProxyScript",
    "Unknown"))))
| eval ScriptletExec = if (toLowerCase(CommandLine) contains "script:" OR toLowerCase(CommandLine) contains "scrobj.dll" OR toLowerCase(CommandLine) contains "scriptlet", 1, 0)
| eval SuspicionScore = 0
| eval SuspicionScore = SuspicionScore + if (ScriptletExec = 1, 3, 0)
| eval SuspicionScore = SuspicionScore + if (toLowerCase(CommandLine) contains "http", 2, 0)
| eval SuspicionScore = SuspicionScore + if (toLowerCase(CommandLine) contains "invoke-expression" OR toLowerCase(CommandLine) contains "downloadstring" OR toLowerCase(CommandLine) contains "-encodedcommand", 2, 0)
| eval DetectionBranch = if (ScriptletExec = 1 OR (toLowerCase(Image) endswith "\\cscript.exe" OR toLowerCase(Image) endswith "\\wscript.exe"), "ProxyScript_Execution",
    if (toLowerCase(Image) endswith "\\syncappvpublishingserver.exe", "SyncAppv_PS_Proxy", "ProxyScript_ChildProcess"))
| where SuspicionScore > 0
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, ProxyScript, ScriptletExec, SuspicionScore, DetectionBranch
| sort by _time desc

high severity high confidence

Data Sources

Sysmon via Windows Event Collector Sumo Logic Installed Collector with Windows Event Log source Sumo Logic Cloud-to-Cloud Windows source

Required Tables

Windows Sysmon Event ID 1 (Process Create) logs Windows Security Event ID 4688 (Process Creation with command-line auditing)

False Positives

Managed print environments where PubPrn.vbs is called by deployment scripts or Group Policy startup scripts without scriptlet URLs — SuspicionScore would be 0 or 1
App-V streaming deployments in enterprises using SCCM that legitimately invoke SyncAppvPublishingServer.exe without PowerShell proxy arguments
Endpoint security validation platforms (Atomic Red Team, BAS tools) running T1216 simulations with approved change tickets during business hours

Google Chronicle / SecOps

yaral

rule T1216_System_Script_Proxy_Execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1216 System Script Proxy Execution via PubPrn.vbs and SyncAppvPublishingServer proxy scripts. Covers direct invocation with scriptlet protocol abuse, SyncAppvPublishingServer.exe PowerShell pipeline proxy, and suspicious child process spawning from proxy script hosts."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1216"
    mitre_attack_subtechniques = "T1216.001, T1216.002"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Microsoft"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(cscript|wscript)\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)pubprn\.vbs`)
          or re.regex($e.target.process.command_line, `(?i)syncappvpublishingserver\.vbs`)
          or re.regex($e.target.process.command_line, `(?i)script:`)
          or re.regex($e.target.process.command_line, `(?i)scrobj\.dll`)
          or re.regex($e.target.process.command_line, `(?i)scriptlet`)
        )
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\syncappvpublishingserver\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(invoke-expression|\biex\b|net\.webclient|downloadstring|-encodedcommand|-enc\b|start-process|start-bitstransfer)`)
      )
      or
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\(cscript|wscript)\.exe$`)
        and (
          re.regex($e.principal.process.command_line, `(?i)pubprn\.vbs`)
          or re.regex($e.principal.process.command_line, `(?i)syncappvpublishingserver\.vbs`)
        )
        and re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh|cmd|mshta|rundll32|regsvr32|certutil|msiexec|wmic|bitsadmin|curl|wget)\.exe$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with Windows Sysmon forwarding Chronicle Unified Data Model (UDM) PROCESS_LAUNCH events Windows Event Forwarding (WEF) to Chronicle

Required Tables

UDM PROCESS_LAUNCH events Chronicle entity graph for process lineage

False Positives

Legitimate App-V application publishing during scheduled maintenance windows where SyncAppvPublishingServer.exe is invoked by SCCM without PS proxy arguments
IT administrator scripts that wrap PubPrn.vbs in automation pipelines for bulk printer provisioning — the scriptlet condition would not trigger for legitimate use
Security testing infrastructure running authorized T1216 atomic tests as part of continuous detection validation programs

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| proxyScriptMatch := FileName=/(cscript|wscript)\.exe/i
    and (CommandLine=/pubprn\.vbs/i
         or CommandLine=/syncappvpublishingserver\.vbs/i
         or CommandLine=/script:/i
         or CommandLine=/scrobj\.dll/i
         or CommandLine=/scriptlet/i)
| syncAppvPSMatch := FileName=/syncappvpublishingserver\.exe/i
    and CommandLine=/(start-process|invoke-expression|\biex\b|net\.webclient|downloadstring|-encodedcommand|-enc\b|start-bitstransfer)/i
| childProcMatch := ParentBaseFileName=/(cscript|wscript)\.exe/i
    and (ParentCommandLine=/pubprn\.vbs/i or ParentCommandLine=/syncappvpublishingserver\.vbs/i)
    and FileName=/(powershell|pwsh|cmd|mshta|rundll32|regsvr32|certutil|msiexec|wmic|bitsadmin|curl|wget)\.exe/i
| where proxyScriptMatch = true or syncAppvPSMatch = true or childProcMatch = true
| ProxyScript := case(
    CommandLine=/pubprn\.vbs/i, "PubPrn",
    CommandLine=/syncappvpublishingserver\.vbs/i, "SyncAppvPublishingServer.vbs",
    FileName=/syncappvpublishingserver\.exe/i, "SyncAppvPublishingServer.exe",
    default="ParentProxyScript"
  )
| DetectionBranch := case(
    proxyScriptMatch = true, "ProxyScript_Execution",
    syncAppvPSMatch = true, "SyncAppv_PS_Proxy",
    childProcMatch = true, "ProxyScript_ChildProcess",
    default="Unknown"
  )
| ScriptletExec := CommandLine=/(script:|scrobj\.dll|scriptlet)/i
| RemoteURL := if(CommandLine=/https?:\/\//i, CommandLine, "none")
| SuspicionScore := if(ScriptletExec = true, 3, 0)
    + if(CommandLine=/https?:\/\//i, 2, 0)
    + if(CommandLine=/(invoke-expression|downloadstring|-encodedcommand)/i, 2, 0)
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ProxyScript, DetectionBranch, ScriptletExec, SuspicionScore])
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) CrowdStrike Falcon LogScale (formerly Humio) Falcon Data Replicator (FDR) feed

Required Tables

ProcessRollup2 (Falcon sensor process creation events)

False Positives

App-V publishing sequences during scheduled application delivery maintenance triggered by CrowdStrike-excluded processes (SCCM client, Intune Management Extension) — DetectionBranch would be SyncAppv_PS_Proxy with SuspicionScore of 0
Printer deployment automation using PubPrn.vbs from IT management systems like PDQ Deploy or Kace — ProxyScript_Execution branch fires but ScriptletExec would be false and SuspicionScore low
Red team or BAS (Breach and Attack Simulation) platform executions from known authorized hosts — recommend adding ComputerName exclusions for dedicated testing infrastructure

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Script Proxy Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Defense Evasion

Popular Detections