Execution of PubPrn.vbs via cscript.exe using the 'script:' moniker to load and execute a remote .sct scriptlet file, bypassing signature validation and proxying remote payloads through a signed Microsoft script host.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| CommandLineRegex | Detects 'script:' moniker with HTTP/HTTPS URI as argument to pubprn.vbs |
| ParentProcessName | May vary between cscript.exe, wscript.exe, or cmd.exe depending on execution method |
| NetworkDestinationDomain | Used to detect external domains being contacted for remote scriptlet execution |
| TimeWindow | Maximum allowed time delta between pubprn.vbs invocation and network connection or child process |