Execution of SyncAppvPublishingServer.vbs through wscript.exe with a command-line containing embedded PowerShell, proxying malicious PowerShell execution through a Microsoft-signed VBScript interpreter to evade detection and restrictions.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| CommandLineRegex | Detects embedded PowerShell commands in SyncAppvPublishingServer.vbs invocation, e.g., `{powershell -nop -enc ...}` |
| ScriptInterpreter | May vary between `wscript.exe`, `cscript.exe`, or called via `cmd.exe` |
| PowerShellObfuscationScore | Used to detect encoding, obfuscation, or entropy level in embedded PowerShell payloads |
| TimeWindow | Time delta between VBScript proxy invocation and PowerShell payload execution |