Detect System Script Proxy Execution in Sumo Logic CSE
Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1216 System Script Proxy Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1216/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "1"
| where (
(
(toLowerCase(Image) endswith "\\cscript.exe" OR toLowerCase(Image) endswith "\\wscript.exe")
AND (
toLowerCase(CommandLine) contains "pubprn.vbs"
OR toLowerCase(CommandLine) contains "syncappvpublishingserver.vbs"
OR toLowerCase(CommandLine) contains "script:"
OR toLowerCase(CommandLine) contains "scrobj.dll"
OR toLowerCase(CommandLine) contains "scriptlet"
)
)
OR (
toLowerCase(Image) endswith "\\syncappvpublishingserver.exe"
AND (
toLowerCase(CommandLine) contains "start-process"
OR toLowerCase(CommandLine) contains "invoke-expression"
OR toLowerCase(CommandLine) contains "net.webclient"
OR toLowerCase(CommandLine) contains "-encodedcommand"
OR toLowerCase(CommandLine) contains "downloadstring"
OR toLowerCase(CommandLine) contains "downloadfile"
)
)
OR (
(toLowerCase(ParentImage) endswith "\\cscript.exe" OR toLowerCase(ParentImage) endswith "\\wscript.exe")
AND (toLowerCase(ParentCommandLine) contains "pubprn.vbs" OR toLowerCase(ParentCommandLine) contains "syncappvpublishingserver.vbs")
AND (
toLowerCase(Image) endswith "\\powershell.exe"
OR toLowerCase(Image) endswith "\\pwsh.exe"
OR toLowerCase(Image) endswith "\\cmd.exe"
OR toLowerCase(Image) endswith "\\mshta.exe"
OR toLowerCase(Image) endswith "\\rundll32.exe"
OR toLowerCase(Image) endswith "\\regsvr32.exe"
OR toLowerCase(Image) endswith "\\certutil.exe"
OR toLowerCase(Image) endswith "\\msiexec.exe"
OR toLowerCase(Image) endswith "\\wmic.exe"
OR toLowerCase(Image) endswith "\\bitsadmin.exe"
)
)
)
| eval ProxyScript = if (toLowerCase(CommandLine) contains "pubprn.vbs", "PubPrn",
if (toLowerCase(CommandLine) contains "syncappvpublishingserver.vbs", "SyncAppvPublishingServer.vbs",
if (toLowerCase(Image) endswith "\\syncappvpublishingserver.exe", "SyncAppvPublishingServer.exe",
if (toLowerCase(ParentImage) endswith "\\cscript.exe" OR toLowerCase(ParentImage) endswith "\\wscript.exe", "ParentProxyScript",
"Unknown"))))
| eval ScriptletExec = if (toLowerCase(CommandLine) contains "script:" OR toLowerCase(CommandLine) contains "scrobj.dll" OR toLowerCase(CommandLine) contains "scriptlet", 1, 0)
| eval SuspicionScore = 0
| eval SuspicionScore = SuspicionScore + if (ScriptletExec = 1, 3, 0)
| eval SuspicionScore = SuspicionScore + if (toLowerCase(CommandLine) contains "http", 2, 0)
| eval SuspicionScore = SuspicionScore + if (toLowerCase(CommandLine) contains "invoke-expression" OR toLowerCase(CommandLine) contains "downloadstring" OR toLowerCase(CommandLine) contains "-encodedcommand", 2, 0)
| eval DetectionBranch = if (ScriptletExec = 1 OR (toLowerCase(Image) endswith "\\cscript.exe" OR toLowerCase(Image) endswith "\\wscript.exe"), "ProxyScript_Execution",
if (toLowerCase(Image) endswith "\\syncappvpublishingserver.exe", "SyncAppv_PS_Proxy", "ProxyScript_ChildProcess"))
| where SuspicionScore > 0
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, ProxyScript, ScriptletExec, SuspicionScore, DetectionBranch
| sort by _time descSumo Logic CSE query detecting T1216 System Script Proxy Execution using Sysmon Event ID 1 process creation data. Covers PubPrn.vbs and SyncAppvPublishingServer proxy abuse with a weighted SuspicionScore to reduce noise, filtering out zero-score events. Classifies detections into ProxyScript_Execution, SyncAppv_PS_Proxy, and ProxyScript_ChildProcess branches matching the KQL/SPL logic.
Data Sources
Required Tables
False Positives & Tuning
- Managed print environments where PubPrn.vbs is called by deployment scripts or Group Policy startup scripts without scriptlet URLs — SuspicionScore would be 0 or 1
- App-V streaming deployments in enterprises using SCCM that legitimately invoke SyncAppvPublishingServer.exe without PowerShell proxy arguments
- Endpoint security validation platforms (Atomic Red Team, BAS tools) running T1216 simulations with approved change tickets during business hours
Other platforms for T1216
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PubPrn.vbs Scriptlet Execution via script: Protocol
Expected signal: Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing 'pubprn.vbs' and 'script:http://127.0.0.1'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8080 from cscript.exe. Security Event ID 4688 if command line auditing is enabled.
- Test 2SyncAppvPublishingServer.vbs PowerShell Pipeline Injection
Expected signal: Sysmon Event ID 1: cscript.exe with CommandLine containing 'SyncAppvPublishingServer.vbs' and 'Write-Output'. Child process Sysmon Event ID 1: powershell.exe spawned by cscript.exe executing the injected command. Sysmon Event ID 11: File Create for t1216-test.txt in %TEMP%.
- Test 3SyncAppvPublishingServer.exe Direct Invocation with PowerShell Download Cradle
Expected signal: Sysmon Event ID 1: SyncAppvPublishingServer.exe with CommandLine containing 'Invoke-Expression' and 'Net.WebClient'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:9090. Security Event ID 4688 with full command line.
- Test 4PubPrn.vbs Used from Non-Standard Location (Bypass Detection by Path)
Expected signal: Sysmon Event ID 11: File Create for pubprn.vbs in %TEMP% (potential staging artifact). Sysmon Event ID 1: cscript.exe with CommandLine referencing %TEMP%\pubprn.vbs and the 'script:' URL. Sysmon Event ID 3: Network Connection attempt from cscript.exe.
References (10)
- https://attack.mitre.org/techniques/T1216/
- https://attack.mitre.org/techniques/T1216/001/
- https://attack.mitre.org/techniques/T1216/002/
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Pubprn.yml
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Syncappvpublishingserver.yml
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://github.com/tyranid/DotNetToJScript
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.002/T1216.002.md
Unlock Pro Content
Get the full detection package for T1216 including response playbook, investigation guide, and atomic red team tests.