title: SyncAppvPublishingServer (T1216.002)
id: df00tech-t1216-002
status: experimental
description: "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands, bypassing execution restrictions and evading defensive countermeasures. SyncAppvPublishingServer.vbs is a legitimate, Microsoft-signed Visual Basic script associated with Windows Application Virtualization (App-V), located in System32 and commonly executed via wscript.exe. By embedding PowerShell commands in the script's argument using the syntax `SyncAppvPublishingServer.vbs \"n; {PowerShell}\"`, adversaries can invoke PowerShell logic through a trusted signed host process rather than calling powershell.exe directly. This technique has been observed in DarkHotel APT and BlueNoroff campaigns as a means of evading script-block logging, execution policy restrictions, and process-based detection rules that focus on powershell.exe as the initiating process."
references:
  - https://attack.mitre.org/techniques/T1216/002/
  - https://df00tech.com/detections/T1216.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1216.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate App-V administrators running SyncAppvPublishingServer.vbs as part of application publishing workflows — the script may be invoked with parameters that superficially resemble PowerShell patterns
  - "MDM solutions (Microsoft Intune, SCCM) invoking SyncAppvPublishingServer.vbs during App-V package deployment and synchronization tasks on managed endpoints"
  - System administrators testing App-V virtualization environments where PowerShell is legitimately used alongside the SyncAppvPublishingServer script in the same session
  - Security red team exercises or authorized penetration tests validating detection coverage for LOLBin-based PowerShell execution
level: high