T1216 IBM QRadar · QRadar

Detect System Script Proxy Execution in IBM QRadar

Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1216 System Script Proxy Execution
Canonical reference
https://attack.mitre.org/techniques/T1216/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  username AS "User",
  "SourceProcessPath" AS "Image",
  "CommandLine",
  "ParentProcessPath" AS "Parent Image",
  "ParentCommandLine",
  CASE
    WHEN LOWER("CommandLine") ILIKE '%pubprn.vbs%' THEN 'PubPrn'
    WHEN LOWER("CommandLine") ILIKE '%syncappvpublishingserver.vbs%' THEN 'SyncAppvPublishingServer.vbs'
    WHEN LOWER("SourceProcessPath") ILIKE '%syncappvpublishingserver.exe' THEN 'SyncAppvPublishingServer.exe'
    ELSE 'Unknown'
  END AS "ProxyScript",
  CASE
    WHEN LOWER("CommandLine") ILIKE '%script:%' OR LOWER("CommandLine") ILIKE '%scrobj.dll%' OR LOWER("CommandLine") ILIKE '%scriptlet%' THEN 1
    ELSE 0
  END AS "ScriptletExec"
FROM events
WHERE devicetime > NOW() - 86400000
AND (
  (
    (LOWER("SourceProcessPath") ILIKE '%cscript.exe' OR LOWER("SourceProcessPath") ILIKE '%wscript.exe')
    AND (
      LOWER("CommandLine") ILIKE '%pubprn.vbs%'
      OR LOWER("CommandLine") ILIKE '%syncappvpublishingserver.vbs%'
      OR LOWER("CommandLine") ILIKE '%script:%'
      OR LOWER("CommandLine") ILIKE '%scrobj.dll%'
      OR LOWER("CommandLine") ILIKE '%scriptlet%'
    )
  )
  OR (
    LOWER("SourceProcessPath") ILIKE '%syncappvpublishingserver.exe'
    AND (
      LOWER("CommandLine") ILIKE '%start-process%'
      OR LOWER("CommandLine") ILIKE '%invoke-expression%'
      OR LOWER("CommandLine") ILIKE '%net.webclient%'
      OR LOWER("CommandLine") ILIKE '%-encodedcommand%'
      OR LOWER("CommandLine") ILIKE '%downloadstring%'
      OR LOWER("CommandLine") ILIKE '%downloadfile%'
    )
  )
  OR (
    (LOWER("ParentProcessPath") ILIKE '%cscript.exe' OR LOWER("ParentProcessPath") ILIKE '%wscript.exe')
    AND (LOWER("ParentCommandLine") ILIKE '%pubprn.vbs%' OR LOWER("ParentCommandLine") ILIKE '%syncappvpublishingserver.vbs%')
    AND (
      LOWER("SourceProcessPath") ILIKE '%powershell.exe'
      OR LOWER("SourceProcessPath") ILIKE '%pwsh.exe'
      OR LOWER("SourceProcessPath") ILIKE '%cmd.exe'
      OR LOWER("SourceProcessPath") ILIKE '%mshta.exe'
      OR LOWER("SourceProcessPath") ILIKE '%rundll32.exe'
      OR LOWER("SourceProcessPath") ILIKE '%regsvr32.exe'
      OR LOWER("SourceProcessPath") ILIKE '%certutil.exe'
      OR LOWER("SourceProcessPath") ILIKE '%msiexec.exe'
      OR LOWER("SourceProcessPath") ILIKE '%wmic.exe'
      OR LOWER("SourceProcessPath") ILIKE '%bitsadmin.exe'
    )
  )
)
ORDER BY devicetime DESC
high severity high confidence

AQL query for IBM QRadar detecting T1216 System Script Proxy Execution across three detection branches: direct proxy script invocation with scriptlet protocol arguments, SyncAppvPublishingServer.exe PowerShell pipeline abuse, and suspicious child process spawning from proxy script hosts. Relies on Sysmon Event ID 1 or Windows Security Event 4688 with command-line auditing enabled, parsed via DSM into SourceProcessPath, CommandLine, ParentProcessPath, and ParentCommandLine custom properties.

Data Sources

Microsoft Windows Sysmon (DSM)Microsoft Windows Security Event Log (DSM)IBM QRadar WinCollect agent

Required Tables

events (QRadar events table with Windows process creation log source)

False Positives & Tuning

  • Enterprise App-V deployments where SyncAppvPublishingServer.exe is legitimately used during application streaming and publishing sequences from SCCM/ConfigMgr
  • Security assessment tooling running from authorized hosts that exercises these proxy script paths as part of endpoint detection validation
  • Print management suites or legacy printer deployment automation that legitimately invoke PubPrn.vbs without scriptlet URLs
Download portable Sigma rule (.yml)

Other platforms for T1216

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PubPrn.vbs Scriptlet Execution via script: Protocol

    Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2SyncAppvPublishingServer.vbs PowerShell Pipeline Injection

    Expected signal: Sysmon Event ID 1: cscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and 'Write-Output'. Child process Sysmon Event ID 1: powershell.exe spawned by cscript.exe executing the injected command. Sysmon Event ID 11: File Create for t1216-test.txt in %TEMP%.

  3. Test 3SyncAppvPublishingServer.exe Direct Invocation with PowerShell Download Cradle

    Expected signal: Sysmon Event ID 1: SyncAppvPublishingServer.exe with CommandLine containing 'Invoke-Expression' and 'Net.WebClient'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9090. Security Event ID 4688 with full command line.

  4. Test 4PubPrn.vbs Used from Non-Standard Location (Bypass Detection by Path)

    Expected signal: Sysmon Event ID 11: File Create for pubprn.vbs in %TEMP% (potential staging artifact). Sysmon Event ID 1: cscript.exe with CommandLine referencing %TEMP%\pubprn.vbs and the 'script:' URL. Sysmon Event ID 3: Network Connection attempt from cscript.exe.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1216.001PubPrnT1216.002SyncAppvPublishingServerT1218System Binary Proxy ExecutionT1218.005MshtaT1218.011Rundll32T1059.005Visual BasicT1059.001PowerShellT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections