SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Sigma rule (View on GitHub)
1title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
2id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
3status: test
4description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
7 - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
8author: frack113
9date: 2021-07-16
10modified: 2022-06-22
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14 - attack.t1216
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains|all:
21 - '\SyncAppvPublishingServer.vbs'
22 - ';' # at a minimum, a semi-colon is required
23 condition: selection
24fields:
25 - ComputerName
26 - User
27 - CommandLine
28 - ParentCommandLine
29falsepositives:
30 - Unknown
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
SyncAppvPublishingServer.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution