T1216.002

SyncAppvPublishingServer

Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands, bypassing execution restrictions and evading defensive countermeasures. SyncAppvPublishingServer.vbs is a legitimate, Microsoft-signed Visual Basic script associated with Windows Application Virtualization (App-V), located in System32 and commonly executed via wscript.exe. By embedding PowerShell commands in the script's argument using the syntax `SyncAppvPublishingServer.vbs "n; {PowerShell}"`, adversaries can invoke PowerShell logic through a trusted signed host process rather than calling powershell.exe directly. This technique has been observed in DarkHotel APT and BlueNoroff campaigns as a means of evading script-block logging, execution policy restrictions, and process-based detection rules that focus on powershell.exe as the initiating process.

Microsoft Sentinel / Defender

kusto

// Branch 1: wscript.exe directly invoking SyncAppvPublishingServer.vbs with embedded PowerShell content
let SyncAppvPath = dynamic(["syncappvpublishingserver.vbs", "syncappvpublishingserver"]);
let PowerShellIndicators = dynamic([
  "invoke-expression", "iex(", "iex ",
  "invoke-webrequest", "net.webclient", "downloadstring", "downloadfile",
  "-encodedcommand", "-enc ", "-e ",
  "start-process", "new-object", "invoke-command",
  "bypass", "hidden", "mimikatz", "shellcode",
  "invoke-mimikatz", "amsiutils", "reflection",
  "frombase64string", "io.memorystream"
]);
let SyncAppvEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wscript.exe" or FileName =~ "cscript.exe"
| where ProcessCommandLine has_any (SyncAppvPath)
| where ProcessCommandLine has_any (PowerShellIndicators)
| extend ExecutionVector = "Direct-SyncAppv-PowerShell-Proxy"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, ProcessId, InitiatingProcessId,
          ExecutionVector;
// Branch 2: PowerShell spawned by wscript.exe/cscript.exe where parent command line references SyncAppvPublishingServer
let PSFromSyncAppv = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where InitiatingProcessFileName in~ ("wscript.exe", "cscript.exe")
| where InitiatingProcessCommandLine has_any (SyncAppvPath)
| extend ExecutionVector = "PowerShell-Child-Of-SyncAppv"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, ProcessId, InitiatingProcessId,
          ExecutionVector;
// Branch 3: Any process spawning SyncAppvPublishingServer.vbs from unexpected parent (not system/winlogon)
let UnexpectedParent = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any (SyncAppvPath)
| where InitiatingProcessFileName !in~ ("explorer.exe", "svchost.exe", "services.exe", "winlogon.exe", "cmd.exe")
| extend ExecutionVector = "SyncAppv-Unexpected-Parent"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, ProcessId, InitiatingProcessId,
          ExecutionVector;
union SyncAppvEvents, PSFromSyncAppv, UnexpectedParent
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate App-V administrators running SyncAppvPublishingServer.vbs as part of application publishing workflows — the script may be invoked with parameters that superficially resemble PowerShell patterns
MDM solutions (Microsoft Intune, SCCM) invoking SyncAppvPublishingServer.vbs during App-V package deployment and synchronization tasks on managed endpoints
System administrators testing App-V virtualization environments where PowerShell is legitimately used alongside the SyncAppvPublishingServer script in the same session
Security red team exercises or authorized penetration tests validating detection coverage for LOLBin-based PowerShell execution

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
(Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
| eval ParentCommandLine=lower(ParentCommandLine)
| eval IsSyncAppvDirect=if(
    (match(Image, "(wscript|cscript)\.exe$") AND match(CommandLine, "syncappvpublishingserver")),
    1, 0
  )
| eval HasPSPayload=if(
    match(CommandLine, "(invoke-expression|iex[\s(]|invoke-webrequest|net\.webclient|downloadstring|downloadfile|-encodedcommand|-enc\s|new-object|bypass|shellcode|amsiutils|frombase64string|invoke-command|start-process)"),
    1, 0
  )
| eval IsPSFromSyncAppv=if(
    match(Image, "(powershell|pwsh)\.exe$") AND
    match(ParentImage, "(wscript|cscript)\.exe$") AND
    match(ParentCommandLine, "syncappvpublishingserver"),
    1, 0
  )
| eval IsSyncAppvUnexpectedParent=if(
    match(Image, "(wscript|cscript)\.exe$") AND
    match(CommandLine, "syncappvpublishingserver") AND
    NOT match(ParentImage, "(explorer|svchost|services|winlogon|cmd)\.exe$"),
    1, 0
  )
| eval DetectionReason=case(
    IsPSFromSyncAppv=1, "PowerShell spawned by SyncAppvPublishingServer proxy",
    IsSyncAppvDirect=1 AND HasPSPayload=1, "SyncAppvPublishingServer with embedded PowerShell payload",
    IsSyncAppvUnexpectedParent=1, "SyncAppvPublishingServer invoked from unexpected parent",
    true(), null()
  )
| where isnotnull(DetectionReason)
| eval RiskScore=case(
    IsPSFromSyncAppv=1 AND HasPSPayload=1, 90,
    IsSyncAppvDirect=1 AND HasPSPayload=1, 85,
    IsPSFromSyncAppv=1, 75,
    IsSyncAppvUnexpectedParent=1, 60,
    true(), 50
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsSyncAppvDirect, HasPSPayload, IsPSFromSyncAppv, IsSyncAppvUnexpectedParent,
        DetectionReason, RiskScore
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate App-V administrators running SyncAppvPublishingServer.vbs as part of application publishing workflows — the script may be invoked with parameters that superficially resemble PowerShell patterns
MDM solutions (Microsoft Intune, SCCM) invoking SyncAppvPublishingServer.vbs during App-V package deployment and synchronization tasks on managed endpoints
System administrators testing App-V virtualization environments where PowerShell is legitimately used alongside the SyncAppvPublishingServer script in the same session
Security red team exercises or authorized penetration tests validating detection coverage for LOLBin-based PowerShell execution

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  /* Branch 1: wscript/cscript directly invoking SyncAppvPublishingServer.vbs with embedded PowerShell payload */
  (
    process.name : ("wscript.exe", "cscript.exe") and
    process.command_line : "*syncappvpublishingserver*" and
    process.command_line : (
      "*invoke-expression*", "*iex(*", "*iex *",
      "*invoke-webrequest*", "*net.webclient*", "*downloadstring*", "*downloadfile*",
      "*-encodedcommand*", "*-enc *", "*start-process*", "*new-object*",
      "*invoke-command*", "*bypass*", "*hidden*", "*shellcode*",
      "*frombase64string*", "*amsiutils*", "*mimikatz*", "*reflection*"
    )
  ) or
  /* Branch 2: PowerShell spawned as child of wscript/cscript where parent command line references SyncAppvPublishingServer */
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.parent.name : ("wscript.exe", "cscript.exe") and
    process.parent.command_line : "*syncappvpublishingserver*"
  ) or
  /* Branch 3: wscript/cscript executing SyncAppvPublishingServer from an unexpected parent process */
  (
    process.name : ("wscript.exe", "cscript.exe") and
    process.command_line : "*syncappvpublishingserver*" and
    not process.parent.name : (
      "explorer.exe", "svchost.exe", "services.exe", "winlogon.exe", "cmd.exe"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon module Elastic Agent (Windows)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-system.security-*

False Positives

Legitimate App-V administrators using wscript.exe to invoke SyncAppvPublishingServer.vbs for publishing App-V packages in environments where Windows Application Virtualization is actively deployed and managed
Enterprise software deployment platforms (SCCM task sequences, Intune Win32 app deployments) that invoke SyncAppvPublishingServer.vbs and subsequently execute PowerShell post-processing steps as part of an App-V provisioning workflow
IT automation or configuration management scripts that legitimately call SyncAppvPublishingServer.vbs with PowerShell arguments for App-V streaming server registration or refresh in managed enterprise environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Image" AS process_image,
  "CommandLine" AS command_line,
  "Parent Process Image" AS parent_image,
  "Parent CommandLine" AS parent_command_line
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) ILIKE '%process create%'
  AND (
    /* Branch 1: wscript/cscript invoking SyncAppvPublishingServer with embedded PS payload */
    (
      LOWER("Process Image") MATCHES '(wscript|cscript)\.exe$'
      AND LOWER("CommandLine") ILIKE '%syncappvpublishingserver%'
      AND (
           LOWER("CommandLine") ILIKE '%invoke-expression%'
        OR LOWER("CommandLine") ILIKE '%iex(%'
        OR LOWER("CommandLine") ILIKE '%iex %'
        OR LOWER("CommandLine") ILIKE '%net.webclient%'
        OR LOWER("CommandLine") ILIKE '%downloadstring%'
        OR LOWER("CommandLine") ILIKE '%downloadfile%'
        OR LOWER("CommandLine") ILIKE '%-encodedcommand%'
        OR LOWER("CommandLine") ILIKE '%-enc %'
        OR LOWER("CommandLine") ILIKE '%new-object%'
        OR LOWER("CommandLine") ILIKE '%bypass%'
        OR LOWER("CommandLine") ILIKE '%shellcode%'
        OR LOWER("CommandLine") ILIKE '%frombase64string%'
        OR LOWER("CommandLine") ILIKE '%amsiutils%'
      )
    )
    OR
    /* Branch 2: PowerShell spawned as child of wscript/cscript that referenced SyncAppvPublishingServer */
    (
      LOWER("Process Image") MATCHES '(powershell|pwsh)\.exe$'
      AND LOWER("Parent Process Image") MATCHES '(wscript|cscript)\.exe$'
      AND LOWER("Parent CommandLine") ILIKE '%syncappvpublishingserver%'
    )
    OR
    /* Branch 3: SyncAppvPublishingServer invoked from unexpected parent */
    (
      LOWER("Process Image") MATCHES '(wscript|cscript)\.exe$'
      AND LOWER("CommandLine") ILIKE '%syncappvpublishingserver%'
      AND LOWER("Parent Process Image") NOT MATCHES '(explorer|svchost|services|winlogon|cmd)\.exe$'
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via QRadar DSM QRadar SIEM with Windows Event Log log source

Required Tables

events

False Positives

Legitimate App-V package publishing operations by IT administrators where wscript.exe invokes SyncAppvPublishingServer.vbs and the command line incidentally contains PowerShell-like strings for App-V parameter passing
Automated software provisioning systems (e.g., SCCM App-V integration, Flexera InstallShield) that trigger SyncAppvPublishingServer invocations with dynamic command-line arguments as part of managed deployment sequences
Security assessment or authorized red team exercises that simulate T1216.002 in the environment as part of scheduled adversary emulation testing

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode = "1" OR EventID = "1"
| eval image_lower = toLowerCase(Image)
| eval cmd_lower = toLowerCase(CommandLine)
| eval parent_image_lower = toLowerCase(ParentImage)
| eval parent_cmd_lower = toLowerCase(ParentCommandLine)
| where (image_lower matches "*wscript.exe"
         OR image_lower matches "*cscript.exe"
         OR image_lower matches "*powershell.exe"
         OR image_lower matches "*pwsh.exe")
  AND (
    cmd_lower matches "*syncappvpublishingserver*"
    OR parent_cmd_lower matches "*syncappvpublishingserver*"
  )
| eval IsSyncAppvDirect = if(
    (image_lower matches "*wscript.exe" OR image_lower matches "*cscript.exe")
    AND cmd_lower matches "*syncappvpublishingserver*",
    1, 0
  )
| eval HasPSPayload = if(
    cmd_lower matches "*invoke-expression*"
    OR cmd_lower matches "*iex(*"
    OR cmd_lower matches "*iex *"
    OR cmd_lower matches "*invoke-webrequest*"
    OR cmd_lower matches "*net.webclient*"
    OR cmd_lower matches "*downloadstring*"
    OR cmd_lower matches "*downloadfile*"
    OR cmd_lower matches "*-encodedcommand*"
    OR cmd_lower matches "*-enc *"
    OR cmd_lower matches "*new-object*"
    OR cmd_lower matches "*start-process*"
    OR cmd_lower matches "*bypass*"
    OR cmd_lower matches "*shellcode*"
    OR cmd_lower matches "*frombase64string*"
    OR cmd_lower matches "*amsiutils*",
    1, 0
  )
| eval IsPSFromSyncAppv = if(
    (image_lower matches "*powershell.exe" OR image_lower matches "*pwsh.exe")
    AND (parent_image_lower matches "*wscript.exe" OR parent_image_lower matches "*cscript.exe")
    AND parent_cmd_lower matches "*syncappvpublishingserver*",
    1, 0
  )
| eval IsUnexpectedParent = if(
    (image_lower matches "*wscript.exe" OR image_lower matches "*cscript.exe")
    AND cmd_lower matches "*syncappvpublishingserver*"
    AND !(parent_image_lower matches "*explorer.exe")
    AND !(parent_image_lower matches "*svchost.exe")
    AND !(parent_image_lower matches "*services.exe")
    AND !(parent_image_lower matches "*winlogon.exe")
    AND !(parent_image_lower matches "*cmd.exe"),
    1, 0
  )
| where IsSyncAppvDirect = 1 OR IsPSFromSyncAppv = 1 OR IsUnexpectedParent = 1
| eval DetectionReason = if(IsPSFromSyncAppv = 1 AND HasPSPayload = 1,
    "PowerShell spawned by SyncAppvPublishingServer proxy with PS payload",
    if(IsSyncAppvDirect = 1 AND HasPSPayload = 1,
      "SyncAppvPublishingServer with embedded PowerShell payload",
      if(IsPSFromSyncAppv = 1,
        "PowerShell spawned by SyncAppvPublishingServer proxy",
        if(IsUnexpectedParent = 1,
          "SyncAppvPublishingServer invoked from unexpected parent",
          "SyncAppv-Generic"))))
| eval RiskScore = if(IsPSFromSyncAppv = 1 AND HasPSPayload = 1, 90,
    if(IsSyncAppvDirect = 1 AND HasPSPayload = 1, 85,
      if(IsPSFromSyncAppv = 1, 75,
        if(IsUnexpectedParent = 1, 60, 50))))
| table _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionReason, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows via Sumo Logic Installed Collector Windows Event Log via Sumo Logic Source Sumo Logic Cloud SIEM Enterprise (normalized schema)

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Legitimate App-V publishing workflows where IT administrators or provisioning agents call SyncAppvPublishingServer.vbs via wscript.exe and the command line includes PowerShell arguments for App-V environment configuration or streaming server registration
Enterprise MDM or endpoint management systems (SCCM, Tanium, Intune) orchestrating App-V deployment sequences that invoke SyncAppvPublishingServer followed by PowerShell configuration steps as a standard application lifecycle operation
Developer or QA workstations where App-V packaging toolchains are used alongside PowerShell automation scripts for testing virtualized application packaging and publishing pipelines

Google Chronicle / SecOps

yaral

rule t1216_002_syncappv_powershell_proxy {
  meta:
    author = "Detection Engineering"
    description = "Detects T1216.002 SyncAppvPublishingServer.vbs abuse for PowerShell proxy execution. Three branches: (1) wscript/cscript invoking SyncAppv with embedded PS payload keywords, (2) PowerShell spawned as child of wscript/cscript SyncAppv proxy, (3) SyncAppv launched from unexpected parent process."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1216.002"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1216/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      /* Branch 1: wscript/cscript directly invoking SyncAppv with PowerShell payload in command line */
      (
        re.regex($e.target.process.file.full_path, `(?i)(wscript|cscript)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)syncappvpublishingserver`) and
        re.regex($e.target.process.command_line,
          `(?i)(invoke-expression|iex[\s(]|invoke-webrequest|net\.webclient|downloadstring|downloadfile|-encodedcommand|-enc\s|new-object|start-process|invoke-command|bypass|shellcode|frombase64string|amsiutils|mimikatz|reflection)`
        )
      ) or
      /* Branch 2: PowerShell spawned as child of wscript/cscript that invoked SyncAppvPublishingServer */
      (
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e.principal.process.file.full_path, `(?i)(wscript|cscript)\.exe$`) and
        re.regex($e.principal.process.command_line, `(?i)syncappvpublishingserver`)
      ) or
      /* Branch 3: wscript/cscript executing SyncAppvPublishingServer from an unexpected parent process */
      (
        re.regex($e.target.process.file.full_path, `(?i)(wscript|cscript)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)syncappvpublishingserver`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)(explorer|svchost|services|winlogon|cmd)\.exe$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows Endpoint telemetry Sysmon events forwarded via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle integration CrowdStrike Falcon via Chronicle integration

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Legitimate App-V application publishing sequences initiated by IT administrators where wscript.exe calls SyncAppvPublishingServer.vbs with PowerShell arguments for genuine App-V package streaming configuration or refresh operations
Enterprise software packaging tools such as SCCM App-V integration components or Flexera AdminStudio that automate SyncAppvPublishingServer invocations as part of managed application deployment pipelines where PowerShell keywords appear in delivery arguments
Third-party IT automation scripts or runbooks that use SyncAppvPublishingServer.vbs in combination with PowerShell for App-V virtual environment configuration on managed endpoints as part of approved change management processes

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName_l := lower(FileName)
| CommandLine_l := lower(CommandLine)
| ParentBaseFileName_l := lower(ParentBaseFileName)
| ParentCommandLine_l := lower(ParentCommandLine)
// Pre-filter: only process events relevant to this technique
| FileName_l = /^(wscript|cscript|powershell|pwsh)\.exe$/
| CommandLine_l = /syncappvpublishingserver/ OR ParentCommandLine_l = /syncappvpublishingserver/
// Branch flags
| IsSyncAppvDirect := if(
    FileName_l = /^(wscript|cscript)\.exe$/ AND CommandLine_l = /syncappvpublishingserver/,
    "true", "false"
  )
| HasPSPayload := if(
    CommandLine_l = /(invoke-expression|iex[\s(]|invoke-webrequest|net\.webclient|downloadstring|downloadfile|-encodedcommand|-enc\s|new-object|start-process|bypass|shellcode|frombase64string|amsiutils)/,
    "true", "false"
  )
| IsPSFromSyncAppv := if(
    FileName_l = /^(powershell|pwsh)\.exe$/ AND
    ParentBaseFileName_l = /^(wscript|cscript)\.exe$/ AND
    ParentCommandLine_l = /syncappvpublishingserver/,
    "true", "false"
  )
| IsUnexpectedParent := if(
    FileName_l = /^(wscript|cscript)\.exe$/ AND
    CommandLine_l = /syncappvpublishingserver/ AND
    NOT ParentBaseFileName_l = /^(explorer|svchost|services|winlogon|cmd)\.exe$/,
    "true", "false"
  )
// Drop non-matching events
| IsSyncAppvDirect = "true" OR IsPSFromSyncAppv = "true" OR IsUnexpectedParent = "true"
// Assign execution vector and risk score
| ExecutionVector := case {
    IsPSFromSyncAppv = "true" AND HasPSPayload = "true" => "PowerShell-Child-Of-SyncAppv-With-Payload";
    IsSyncAppvDirect = "true" AND HasPSPayload = "true" => "SyncAppv-Direct-PS-Proxy";
    IsPSFromSyncAppv = "true" => "PowerShell-Child-Of-SyncAppv";
    IsUnexpectedParent = "true" => "SyncAppv-Unexpected-Parent";
    * => "SyncAppv-Generic"
  }
| RiskScore := case {
    IsPSFromSyncAppv = "true" AND HasPSPayload = "true" => 90;
    IsSyncAppvDirect = "true" AND HasPSPayload = "true" => 85;
    IsPSFromSyncAppv = "true" => 75;
    IsUnexpectedParent = "true" => 60;
    * => 50
  }
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ExecutionVector, RiskScore])
| sort(field=RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2) CrowdStrike Falcon Insight XDR

Required Tables

ProcessRollup2

False Positives

Legitimate App-V package publishing operations by IT administrators or automated deployment agents that invoke wscript.exe with SyncAppvPublishingServer.vbs and include PowerShell arguments for App-V streaming server configuration or package refresh
Software asset management or MDM platforms (SCCM, Intune, Tanium) that orchestrate App-V publishing workflows on managed endpoints as part of scheduled application deployment and lifecycle management tasks
Authorized red team or penetration testing activities that simulate T1216.002 SyncAppvPublishingServer proxy execution as part of sanctioned adversary emulation exercises against the organization's environment

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1216.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

SyncAppvPublishingServer

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections