1. Home
  2. Techniques
  3. Enterprise
  4. System Script Proxy Execution
  5. SyncAppvPublishingServer

System Script Proxy Execution: SyncAppvPublishingServer

ID Name
T1216.001 PubPrn
T1216.002 SyncAppvPublishingServer

Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).[1] For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.[2][3]

The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from \System32 through the command line via wscript.exe.[4][5]

Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by "living off the land."[6][4] Proxying execution may function as a trusted/signed alternative to directly invoking powershell.exe.[7]

For example, PowerShell commands may be invoked using:[5]

SyncAppvPublishingServer.vbs "n; {PowerShell}"

ID: T1216.002
Sub-technique of:  T1216
Tactic: Defense Evasion
Platforms: Windows
Contributors: Shaul Vilkomir-Preisman
Version: 1.0
Created: 06 February 2024
Last Modified: 18 April 2024
Version Permalink

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for scripts like Syncappvpublishingserver.vbs that may be used to proxy execution of malicious files.
DS0009 Process Process Creation

Monitor script processes, such as wscript.exe, that may be used to proxy execution of malicious files.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References

  1. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  2. Microsoft. (2022, November 3). Getting started with App-V for Windows client. Retrieved February 6, 2024.
  3. Raj Chandel. (2022, March 17). Indirect Command Execution: Defense Evasion (T1202). Retrieved February 6, 2024.
  4. John Fokker. (2022, March 17). Suspected DarkHotel APT activity update. Retrieved February 6, 2024.
  1. Nick Landers, Casey Smith. (n.d.). /Syncappvpublishingserver.vbs. Retrieved February 6, 2024.
  2. Strontic. (n.d.). SyncAppvPublishingServer.exe. Retrieved February 6, 2024.
  3. Nick Landers. (2017, August 8). Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered.. Retrieved February 6, 2024.