Detect System Script Proxy Execution in Elastic Security
Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1216 System Script Proxy Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1216/
Elastic Detection Query
process where event.type == "start" and
(
(
process.name : ("cscript.exe", "wscript.exe") and
process.command_line like~ ("*pubprn.vbs*", "*syncappvpublishingserver.vbs*", "*script:*", "*scrobj.dll*", "*scriptlet*")
)
or
(
process.name : "syncappvpublishingserver.exe" and
process.command_line like~ ("*Start-Process*", "*Invoke-Expression*", "*IEX*", "*Net.WebClient*", "*DownloadString*", "*-enc*", "*-EncodedCommand*", "*cmd.exe*", "*powershell*")
)
or
(
process.parent.name : ("cscript.exe", "wscript.exe") and
process.parent.command_line like~ ("*pubprn.vbs*", "*syncappvpublishingserver.vbs*") and
process.name : ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "msiexec.exe", "wmic.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
)
)Detects T1216 System Script Proxy Execution via three branches: (1) cscript/wscript invoking PubPrn.vbs or SyncAppvPublishingServer.vbs with scriptlet protocol arguments, (2) SyncAppvPublishingServer.exe passing PowerShell-style arguments through its pipeline proxy, and (3) suspicious child processes (powershell, mshta, rundll32, etc.) spawned from cscript/wscript executing known proxy scripts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate printer publishing workflows using PubPrn.vbs in enterprise environments with managed print servers — the script: argument would be absent in benign use
- App-V (Application Virtualization) publishing sequences where SyncAppvPublishingServer.exe is invoked by SCCM or Intune as part of application delivery, without any encoded/download arguments
- Security tooling or EDR simulation platforms that invoke these scripts during red-team or purple-team exercises with pre-approved change requests
Other platforms for T1216
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PubPrn.vbs Scriptlet Execution via script: Protocol
Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 if command line auditing is enabled.
- Test 2SyncAppvPublishingServer.vbs PowerShell Pipeline Injection
Expected signal: Sysmon Event ID 1: cscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and 'Write-Output'. Child process Sysmon Event ID 1: powershell.exe spawned by cscript.exe executing the injected command. Sysmon Event ID 11: File Create for t1216-test.txt in %TEMP%.
- Test 3SyncAppvPublishingServer.exe Direct Invocation with PowerShell Download Cradle
Expected signal: Sysmon Event ID 1: SyncAppvPublishingServer.exe with CommandLine containing 'Invoke-Expression' and 'Net.WebClient'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9090. Security Event ID 4688 with full command line.
- Test 4PubPrn.vbs Used from Non-Standard Location (Bypass Detection by Path)
Expected signal: Sysmon Event ID 11: File Create for pubprn.vbs in %TEMP% (potential staging artifact). Sysmon Event ID 1: cscript.exe with CommandLine referencing %TEMP%\pubprn.vbs and the 'script:' URL. Sysmon Event ID 3: Network Connection attempt from cscript.exe.
References (10)
- https://attack.mitre.org/techniques/T1216/
- https://attack.mitre.org/techniques/T1216/001/
- https://attack.mitre.org/techniques/T1216/002/
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Pubprn.yml
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Syncappvpublishingserver.yml
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://github.com/tyranid/DotNetToJScript
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.002/T1216.002.md
Unlock Pro Content
Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.