Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).[1] For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.[2][3]
The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from \System32 through the command line via wscript.exe.[4][5]
Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by "living off the land."[6][4] Proxying execution may function as a trusted/signed alternative to directly invoking powershell.exe.[7]
For example, PowerShell commands may be invoked using:[5]
SyncAppvPublishingServer.vbs "n; {PowerShell}"
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0440 | Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse | AN1220 |
Execution of SyncAppvPublishingServer.vbs through wscript.exe with a command-line containing embedded PowerShell, proxying malicious PowerShell execution through a Microsoft-signed VBScript interpreter to evade detection and restrictions. |