T1216 Microsoft Sentinel · KQL

Detect System Script Proxy Execution in Microsoft Sentinel

Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1216 System Script Proxy Execution
Canonical reference
https://attack.mitre.org/techniques/T1216/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousProxyScripts = dynamic([
  "pubprn.vbs",
  "syncappvpublishingserver.vbs",
  "syncappvpublishingserver.exe"
]);
let ScriptletProtocols = dynamic(["script:", "scrobj.dll", "scriptlet"]);
// Branch 1: cscript/wscript executing known proxy scripts
let Branch1 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cscript.exe", "wscript.exe")
| where ProcessCommandLine has_any (SuspiciousProxyScripts)
| extend ProxyScript = case(
    ProcessCommandLine has_any ("pubprn.vbs"), "PubPrn",
    ProcessCommandLine has_any ("syncappvpublishingserver.vbs"), "SyncAppvPublishingServer.vbs",
    "Unknown"
  )
| extend ScriptletExec = ProcessCommandLine has_any (ScriptletProtocols)
| extend RemoteURL = extract(@"(https?://[^\s'""]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ProxyScript, ScriptletExec, RemoteURL
| extend DetectionBranch = "ProxyScript_Execution";
// Branch 2: SyncAppvPublishingServer.exe running with PowerShell-like args (passes args to PS pipeline)
let Branch2 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "syncappvpublishingserver.exe"
| where ProcessCommandLine has_any (
    "Start-Process", "Invoke-Expression", "IEX", "Net.WebClient",
    "DownloadString", "DownloadFile", "-enc", "-EncodedCommand",
    "Start-BitsTransfer", "cmd.exe", "powershell"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend ProxyScript = "SyncAppvPublishingServer.exe"
| extend ScriptletExec = false
| extend RemoteURL = extract(@"(https?://[^\s'""]+)", 1, ProcessCommandLine)
| extend DetectionBranch = "SyncAppv_PS_Proxy";
// Branch 3: Child processes spawned from known proxy script hosts indicating payload execution
let Branch3 = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("cscript.exe", "wscript.exe")
| where InitiatingProcessCommandLine has_any (SuspiciousProxyScripts)
| where FileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe",
    "rundll32.exe", "regsvr32.exe", "certutil.exe", "msiexec.exe",
    "wmic.exe", "bitsadmin.exe", "curl.exe", "wget.exe"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend ProxyScript = "ParentProxyScript"
| extend ScriptletExec = false
| extend RemoteURL = ""
| extend DetectionBranch = "ProxyScript_ChildProcess";
union Branch1, Branch2, Branch3
| sort by Timestamp desc
high severity high confidence

Detects System Script Proxy Execution (T1216) using Microsoft Defender for Endpoint DeviceProcessEvents. Three detection branches: (1) cscript/wscript executing known proxy scripts (pubprn.vbs, syncappvpublishingserver.vbs) — identifies the 'script:' scriptlet protocol and extracts any remote URL; (2) SyncAppvPublishingServer.exe invoked with PowerShell-style arguments that get passed through to a PS pipeline; (3) child processes spawned from proxy script parents that indicate downstream payload execution. All branches capture parent process context for lateral movement and kill-chain analysis.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate printer publishing operations using PubPrn.vbs in enterprise printing environments — typically invoked by print administrators against a known print server, not a remote HTTP/HTTPS URL
  • App-V publishing infrastructure running SyncAppvPublishingServer.vbs/exe as part of scheduled application virtualization refresh — verify the server and account are expected in your App-V deployment
  • Security testing tools or red team exercises explicitly using LOLBAS scripts in an authorized penetration test — correlate with change management tickets
  • Software packaging scripts that invoke cscript.exe against Microsoft-signed VBScripts during application installation — check if the parent process is a trusted installer
Download portable Sigma rule (.yml)

Other platforms for T1216

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PubPrn.vbs Scriptlet Execution via script: Protocol

    Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2SyncAppvPublishingServer.vbs PowerShell Pipeline Injection

    Expected signal: Sysmon Event ID 1: cscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and 'Write-Output'. Child process Sysmon Event ID 1: powershell.exe spawned by cscript.exe executing the injected command. Sysmon Event ID 11: File Create for t1216-test.txt in %TEMP%.

  3. Test 3SyncAppvPublishingServer.exe Direct Invocation with PowerShell Download Cradle

    Expected signal: Sysmon Event ID 1: SyncAppvPublishingServer.exe with CommandLine containing 'Invoke-Expression' and 'Net.WebClient'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9090. Security Event ID 4688 with full command line.

  4. Test 4PubPrn.vbs Used from Non-Standard Location (Bypass Detection by Path)

    Expected signal: Sysmon Event ID 11: File Create for pubprn.vbs in %TEMP% (potential staging artifact). Sysmon Event ID 1: cscript.exe with CommandLine referencing %TEMP%\pubprn.vbs and the 'script:' URL. Sysmon Event ID 3: Network Connection attempt from cscript.exe.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1216.001PubPrnT1216.002SyncAppvPublishingServerT1218System Binary Proxy ExecutionT1218.005MshtaT1218.011Rundll32T1059.005Visual BasicT1059.001PowerShellT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections