Which SIEM platforms have a T1216.002 detection rule?

df00tech provides T1216.002 (SyncAppvPublishingServer) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect SyncAppvPublishingServer (T1216.002)?

Detecting SyncAppvPublishingServer requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1216.002 detection?

The T1216.002 detection is rated high severity with high confidence.

What are common false positives for T1216.002?

Common false positives for T1216.002 include: Legitimate App-V administrators running SyncAppvPublishingServer.vbs as part of application publishing workflows — the script may be invoked with parameters that superficially resemble PowerShell patterns; MDM solutions (Microsoft Intune, SCCM) invoking SyncAppvPublishingServer.vbs during App-V package deployment and synchronization tasks on managed endpoints; System administrators testing App-V virtualization environments where PowerShell is legitimately used alongside the SyncAppvPublishingServer script in the same session.

T1216.002 Elastic Security · Elastic

Detect SyncAppvPublishingServer in Elastic Security

Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands, bypassing execution restrictions and evading defensive countermeasures. SyncAppvPublishingServer.vbs is a legitimate, Microsoft-signed Visual Basic script associated with Windows Application Virtualization (App-V), located in System32 and commonly executed via wscript.exe. By embedding PowerShell commands in the script's argument using the syntax `SyncAppvPublishingServer.vbs "n; {PowerShell}"`, adversaries can invoke PowerShell logic through a trusted signed host process rather than calling powershell.exe directly. This technique has been observed in DarkHotel APT and BlueNoroff campaigns as a means of evading script-block logging, execution policy restrictions, and process-based detection rules that focus on powershell.exe as the initiating process.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1216 System Script Proxy Execution
Sub-technique: T1216.002 SyncAppvPublishingServer
Canonical reference: https://attack.mitre.org/techniques/T1216/002/

Elastic Detection Query

Elastic Security (Elastic)

eql

process where event.type == "start" and
(
  /* Branch 1: wscript/cscript directly invoking SyncAppvPublishingServer.vbs with embedded PowerShell payload */
  (
    process.name : ("wscript.exe", "cscript.exe") and
    process.command_line : "*syncappvpublishingserver*" and
    process.command_line : (
      "*invoke-expression*", "*iex(*", "*iex *",
      "*invoke-webrequest*", "*net.webclient*", "*downloadstring*", "*downloadfile*",
      "*-encodedcommand*", "*-enc *", "*start-process*", "*new-object*",
      "*invoke-command*", "*bypass*", "*hidden*", "*shellcode*",
      "*frombase64string*", "*amsiutils*", "*mimikatz*", "*reflection*"
    )
  ) or
  /* Branch 2: PowerShell spawned as child of wscript/cscript where parent command line references SyncAppvPublishingServer */
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.parent.name : ("wscript.exe", "cscript.exe") and
    process.parent.command_line : "*syncappvpublishingserver*"
  ) or
  /* Branch 3: wscript/cscript executing SyncAppvPublishingServer from an unexpected parent process */
  (
    process.name : ("wscript.exe", "cscript.exe") and
    process.command_line : "*syncappvpublishingserver*" and
    not process.parent.name : (
      "explorer.exe", "svchost.exe", "services.exe", "winlogon.exe", "cmd.exe"
    )
  )
)

high severity high confidence

Detects T1216.002 SyncAppvPublishingServer.vbs abuse via three branches using Elastic ECS process fields: (1) wscript/cscript directly invoking SyncAppvPublishingServer.vbs with embedded PowerShell payload keywords in the command line, (2) powershell.exe or pwsh.exe spawned as a direct child of wscript/cscript where the parent command line references SyncAppvPublishingServer, and (3) wscript/cscript invoking SyncAppvPublishingServer from an atypical parent process. Relies on Elastic Endpoint or Sysmon telemetry that populates process.parent.name and process.parent.command_line fields.

Data Sources

Elastic Endpoint SecurityWinlogbeat with Sysmon moduleElastic Agent (Windows)

Required Tables

logs-endpoint.events.process-*winlogbeat-*logs-system.security-*

False Positives & Tuning

Legitimate App-V administrators using wscript.exe to invoke SyncAppvPublishingServer.vbs for publishing App-V packages in environments where Windows Application Virtualization is actively deployed and managed
Enterprise software deployment platforms (SCCM task sequences, Intune Win32 app deployments) that invoke SyncAppvPublishingServer.vbs and subsequently execute PowerShell post-processing steps as part of an App-V provisioning workflow
IT automation or configuration management scripts that legitimately call SyncAppvPublishingServer.vbs with PowerShell arguments for App-V streaming server registration or refresh in managed enterprise environments

Download portable Sigma rule (.yml)

Other platforms for T1216.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1SyncAppvPublishingServer PowerShell Proxy — Benign Command
Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and the argument 'n; whoami'. PowerShell ScriptBlock Log Event ID 4104 may capture the proxied command execution depending on the App-V configuration. Security Event ID 4688 (if command line auditing enabled) for wscript.exe.
Test 2SyncAppvPublishingServer PowerShell Proxy — Encoded Command
Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs', '-encodedCommand', and the Base64 payload. PowerShell ScriptBlock Log Event ID 4104 capturing the decoded command 'Write-Output Argus-Test-T1216.002'. If PowerShell spawns as a child process, a second Sysmon Event ID 1 for powershell.exe with parent=wscript.exe.
Test 3SyncAppvPublishingServer PowerShell Proxy — Download Cradle Simulation
Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs', 'Net.WebClient', 'DownloadString', and 'IEX'. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080 originating from wscript.exe or a child powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the download cradle code.
Test 4SyncAppvPublishingServer via cmd.exe — Indirect Invocation
Expected signal: Sysmon Event ID 1 for cmd.exe (from whatever launched the test), then Sysmon Event ID 1 for wscript.exe with ParentImage=cmd.exe and CommandLine containing 'SyncAppvPublishingServer.vbs' and the PowerShell Get-Process command. The parent-child chain cmd.exe -> wscript.exe -> [powershell proxy] is captured.

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1216.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect SyncAppvPublishingServer in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1216.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1216.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox