Detect System Script Proxy Execution in CrowdStrike LogScale
Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1216 System Script Proxy Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1216/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| proxyScriptMatch := FileName=/(cscript|wscript)\.exe/i
and (CommandLine=/pubprn\.vbs/i
or CommandLine=/syncappvpublishingserver\.vbs/i
or CommandLine=/script:/i
or CommandLine=/scrobj\.dll/i
or CommandLine=/scriptlet/i)
| syncAppvPSMatch := FileName=/syncappvpublishingserver\.exe/i
and CommandLine=/(start-process|invoke-expression|\biex\b|net\.webclient|downloadstring|-encodedcommand|-enc\b|start-bitstransfer)/i
| childProcMatch := ParentBaseFileName=/(cscript|wscript)\.exe/i
and (ParentCommandLine=/pubprn\.vbs/i or ParentCommandLine=/syncappvpublishingserver\.vbs/i)
and FileName=/(powershell|pwsh|cmd|mshta|rundll32|regsvr32|certutil|msiexec|wmic|bitsadmin|curl|wget)\.exe/i
| where proxyScriptMatch = true or syncAppvPSMatch = true or childProcMatch = true
| ProxyScript := case(
CommandLine=/pubprn\.vbs/i, "PubPrn",
CommandLine=/syncappvpublishingserver\.vbs/i, "SyncAppvPublishingServer.vbs",
FileName=/syncappvpublishingserver\.exe/i, "SyncAppvPublishingServer.exe",
default="ParentProxyScript"
)
| DetectionBranch := case(
proxyScriptMatch = true, "ProxyScript_Execution",
syncAppvPSMatch = true, "SyncAppv_PS_Proxy",
childProcMatch = true, "ProxyScript_ChildProcess",
default="Unknown"
)
| ScriptletExec := CommandLine=/(script:|scrobj\.dll|scriptlet)/i
| RemoteURL := if(CommandLine=/https?:\/\//i, CommandLine, "none")
| SuspicionScore := if(ScriptletExec = true, 3, 0)
+ if(CommandLine=/https?:\/\//i, 2, 0)
+ if(CommandLine=/(invoke-expression|downloadstring|-encodedcommand)/i, 2, 0)
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ProxyScript, DetectionBranch, ScriptletExec, SuspicionScore])
| sort(field=timestamp, order=desc)CrowdStrike LogScale (Falcon) CQL query detecting T1216 System Script Proxy Execution using ProcessRollup2 events from the Falcon sensor. Three detection branches are evaluated in parallel: direct cscript/wscript proxy script execution with scriptlet/scrobj.dll indicators, SyncAppvPublishingServer.exe PowerShell pipeline proxy abuse, and suspicious child process spawning from proxy script parent processes. A SuspicionScore field is computed for prioritization. Requires Falcon Prevent or Insight license with process telemetry enabled.
Data Sources
Required Tables
False Positives & Tuning
- App-V publishing sequences during scheduled application delivery maintenance triggered by CrowdStrike-excluded processes (SCCM client, Intune Management Extension) — DetectionBranch would be SyncAppv_PS_Proxy with SuspicionScore of 0
- Printer deployment automation using PubPrn.vbs from IT management systems like PDQ Deploy or Kace — ProxyScript_Execution branch fires but ScriptletExec would be false and SuspicionScore low
- Red team or BAS (Breach and Attack Simulation) platform executions from known authorized hosts — recommend adding ComputerName exclusions for dedicated testing infrastructure
Other platforms for T1216
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PubPrn.vbs Scriptlet Execution via script: Protocol
Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 if command line auditing is enabled.
- Test 2SyncAppvPublishingServer.vbs PowerShell Pipeline Injection
Expected signal: Sysmon Event ID 1: cscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and 'Write-Output'. Child process Sysmon Event ID 1: powershell.exe spawned by cscript.exe executing the injected command. Sysmon Event ID 11: File Create for t1216-test.txt in %TEMP%.
- Test 3SyncAppvPublishingServer.exe Direct Invocation with PowerShell Download Cradle
Expected signal: Sysmon Event ID 1: SyncAppvPublishingServer.exe with CommandLine containing 'Invoke-Expression' and 'Net.WebClient'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9090. Security Event ID 4688 with full command line.
- Test 4PubPrn.vbs Used from Non-Standard Location (Bypass Detection by Path)
Expected signal: Sysmon Event ID 11: File Create for pubprn.vbs in %TEMP% (potential staging artifact). Sysmon Event ID 1: cscript.exe with CommandLine referencing %TEMP%\pubprn.vbs and the 'script:' URL. Sysmon Event ID 3: Network Connection attempt from cscript.exe.
References (10)
- https://attack.mitre.org/techniques/T1216/
- https://attack.mitre.org/techniques/T1216/001/
- https://attack.mitre.org/techniques/T1216/002/
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Pubprn.yml
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Syncappvpublishingserver.yml
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://github.com/tyranid/DotNetToJScript
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.002/T1216.002.md
Unlock Pro Content
Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.