T1216.001 PubPrn Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cscript.exe", "wscript.exe")
| where ProcessCommandLine has_any ("pubprn", "pubprn.vbs")
| extend HasScriptMoniker = ProcessCommandLine has "script:"
| extend HasHTTP = ProcessCommandLine has_any ("http://", "https://")
| extend HasSCT = ProcessCommandLine has ".sct"
| extend HasRemoteRef = HasScriptMoniker and (HasHTTP or HasSCT)
| extend HasLDAPOnly = ProcessCommandLine has "LDAP://" and not HasScriptMoniker
// Flag any use of script: moniker — should never appear in legitimate pubprn usage
| where HasScriptMoniker or HasSCT
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HasScriptMoniker, HasHTTP, HasSCT, HasRemoteRef
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legacy printer management scripts that reference pubprn.vbs legitimately via LDAP:// — these will NOT match this query since we filter for script: or .sct
Red team or penetration testing exercises using PubPrn as a living-off-the-land bypass
Security researchers validating detection coverage by running atomic tests in a lab

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\cscript.exe" OR Image="*\\wscript.exe")
  (CommandLine="*pubprn*")
| eval HasScriptMoniker=if(match(lower(CommandLine), "script:"), 1, 0)
| eval HasHTTP=if(match(lower(CommandLine), "https?://"), 1, 0)
| eval HasSCT=if(match(lower(CommandLine), "\.sct"), 1, 0)
| eval HasRemoteRef=if(HasScriptMoniker=1 AND (HasHTTP=1 OR HasSCT=1), 1, 0)
| where HasScriptMoniker=1 OR HasSCT=1
| eval RiskScore=HasScriptMoniker + HasHTTP + HasSCT
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        HasScriptMoniker, HasHTTP, HasSCT, HasRemoteRef, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legacy printer management scripts invoking pubprn.vbs with LDAP:// parameter only — will not match since we require script: or .sct
Authorized red team engagements testing application control bypass techniques
Security tools that simulate attacker TTPs for detection validation

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name in~ ("cscript.exe", "wscript.exe")
  and process.command_line like~ "*pubprn*"
  and (
    process.command_line like~ "*script:*"
    or process.command_line like~ "*.sct*"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon via Winlogbeat Elastic Agent (endpoint.events.process)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Legacy printer administration scripts that invoke pubprn.vbs with non-standard parameters in environments that have not patched Windows 10 restrictions on the second parameter
Security testing or red team exercises explicitly using PubPrn LOLBin technique in authorized penetration tests
Custom internal tooling that wraps pubprn.vbs for legitimate printer provisioning workflows — verify ParentImage and command context against change management records

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  username AS "Username",
  "FileName",
  "CommandLine",
  "ParentImage",
  "ParentCommandLine",
  CASE
    WHEN LOWER("CommandLine") LIKE '%script:%' THEN 1 ELSE 0
  END AS "HasScriptMoniker",
  CASE
    WHEN LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%' THEN 1 ELSE 0
  END AS "HasHTTP",
  CASE
    WHEN LOWER("CommandLine") LIKE '%.sct%' THEN 1 ELSE 0
  END AS "HasSCT"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows Security Event Log%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
AND (
  LOWER("FileName") LIKE '%cscript.exe%'
  OR LOWER("FileName") LIKE '%wscript.exe%'
)
AND LOWER("CommandLine") LIKE '%pubprn%'
AND (
  LOWER("CommandLine") LIKE '%script:%'
  OR LOWER("CommandLine") LIKE '%.sct%'
)
LAST 24 HOURS
ORDER BY devicetime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log DSM Sysmon DSM via WinCollect or syslog

Required Tables

events

False Positives

Printer provisioning automation scripts in enterprise environments that call pubprn.vbs programmatically — validate against CMDB printer management workflows
Security tooling or SOAR playbooks that invoke pubprn.vbs as part of an authorized LOLBin detection test harness
Legacy Windows Server environments running custom VBScript-based print management solutions that construct pubprn.vbs arguments dynamically — correlate with known asset inventory

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID = "1" OR EventCode = "4688"
| where FileName matches "(?i).*\\(cscript|wscript)\.exe$"
    OR CommandLine matches "(?i).*\\(cscript|wscript)\.exe.*"
| where CommandLine matches "(?i).*pubprn.*"
| where CommandLine matches "(?i).*script:.*" OR CommandLine matches "(?i).*\.sct.*"
| if (CommandLine matches "(?i).*script:.*", 1, 0) as HasScriptMoniker
| if (CommandLine matches "(?i).*https?://.*", 1, 0) as HasHTTP
| if (CommandLine matches "(?i).*\.sct.*", 1, 0) as HasSCT
| if (HasScriptMoniker = 1 AND (HasHTTP = 1 OR HasSCT = 1), 1, 0) as HasRemoteRef
| toInt(HasScriptMoniker) + toInt(HasHTTP) + toInt(HasSCT) as RiskScore
| fields _messageTime, Computer, User, FileName, CommandLine, ParentImage, ParentCommandLine, HasScriptMoniker, HasHTTP, HasSCT, HasRemoteRef, RiskScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Installed Collector Windows Security Event Log via Sumo Logic Collector

Required Tables

windows/sysmon windows/security

False Positives

Legitimate printer management scripts in large enterprise environments that wrap pubprn.vbs — verify against authorized change requests in ITSM
Endpoint Detection and Response (EDR) simulation tooling executing PubPrn LOLBin tests as part of scheduled purple team exercises
Third-party print management software that constructs pubprn.vbs invocations with non-standard URI formats — cross-reference with software asset management

Google Chronicle / SecOps

yaral

rule t1216_001_pubprn_proxy_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects PubPrn.vbs proxy execution (T1216.001) via script: URI moniker or .sct COM scriptlet reference in cscript.exe or wscript.exe command line"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1216.001"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1216/001/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)(cscript|wscript)\.exe$/
    $e.target.process.command_line = /(?i)pubprn/
    (
      $e.target.process.command_line = /(?i)script:/ or
      $e.target.process.command_line = /(?i)\.sct/
    )

  match:
    $e.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if($e.target.process.command_line = /(?i)script:/, 40, 0) +
      if($e.target.process.command_line = /(?i)https?:\/\//, 35, 0) +
      if($e.target.process.command_line = /(?i)\.sct/, 25, 0)
    )
    $hostname = array_distinct($e.principal.hostname)
    $username = array_distinct($e.principal.user.userid)
    $command_line = array_distinct($e.target.process.command_line)
    $parent_process = array_distinct($e.principal.process.file.full_path)
    $event_count = count_distinct($e.metadata.id)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Sysmon UDM ingestion Microsoft Defender for Endpoint UDM parser Chronicle Windows Event Log parser

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Authorized printer provisioning scripts running under service accounts in domain environments — validate principal.user.userid against known service account inventory
Red team or penetration testing engagements that exercise PubPrn LOLBin as part of a defined test window — correlate with authorized testing schedules
Custom enterprise VBScript wrappers that call pubprn.vbs with programmatically constructed command lines for printer fleet management — cross-reference with change management records and parent process tree

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(cscript|wscript)\.exe/
| CommandLine = /(?i)pubprn/
| CommandLine = /(?i)(script:|\.sct)/
| HasScriptMoniker := if(CommandLine = /(?i)script:/, "true", "false")
| HasHTTP := if(CommandLine = /(?i)https?:\/\//, "true", "false")
| HasSCT := if(CommandLine = /(?i)\.sct/, "true", "false")
| HasRemoteRef := if(HasScriptMoniker = "true" AND (HasHTTP = "true" OR HasSCT = "true"), "true", "false")
| RiskScore := (if(HasScriptMoniker = "true", 1, 0) + if(HasHTTP = "true", 1, 0) + if(HasSCT = "true", 1, 0))
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, HasScriptMoniker, HasHTTP, HasSCT, HasRemoteRef, RiskScore])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 telemetry CrowdStrike LogScale / Humio

Required Tables

ProcessRollup2

False Positives

Legitimate enterprise printer provisioning workflows invoking pubprn.vbs via scripting hosts — validate ComputerName and UserName against authorized IT admin accounts and service accounts
Authorized red team or adversary simulation exercises using PubPrn LOLBin technique within a defined engagement window — correlate with CrowdStrike Prevent policy exclusions and change tickets
Third-party endpoint management or software deployment tools that spawn cscript.exe or wscript.exe with pubprn.vbs as part of printer configuration — verify ParentBaseFileName and parent process chain against known management tooling

PubPrn

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections