SyncAppvPublishingServer Execution to Bypass Powershell Restriction
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
Sigma rule (View on GitHub)
1title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
2id: dddfebae-c46f-439c-af7a-fdb6bde90218
3related:
4 - id: fde7929d-8beb-4a4c-b922-be9974671667
5 type: derived
6 - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
7 type: derived
8status: test
9description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
10references:
11 - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
12author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
13date: 2020-10-05
14modified: 2022-12-25
15tags:
16 - attack.defense-evasion
17 - attack.t1218
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection:
24 ScriptBlockText|contains: 'SyncAppvPublishingServer.exe'
25 condition: selection
26falsepositives:
27 - App-V clients
28level: medium
References
-
SyncAppvPublishingServer.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE