System Script Proxy Execution: SyncAppvPublishingServer
Other sub-techniques of System Script Proxy Execution (2)
| ID | Название |
|---|---|
| .001 | Сценарий PubPrn |
| .002 | SyncAppvPublishingServer |
Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv) The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from `\System32` through the command line via `wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv) Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by "living off the land."(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking `powershell.exe`.(Citation: 7 - appv) For example, PowerShell commands may be invoked using:(Citation: 5 - appv) `SyncAppvPublishingServer.vbs "n; {PowerShell}"`
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Ссылки
- Strontic. (n.d.). SyncAppvPublishingServer.exe. Retrieved February 6, 2024.
- SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
- Raj Chandel. (2022, March 17). Indirect Command Execution: Defense Evasion (T1202). Retrieved February 6, 2024.
- Nick Landers. (2017, August 8). Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered.. Retrieved September 12, 2024.
- Nick Landers, Casey Smith. (n.d.). /Syncappvpublishingserver.vbs. Retrieved February 6, 2024.
- Microsoft. (2022, November 3). Getting started with App-V for Windows client. Retrieved February 6, 2024.
- John Fokker. (2022, March 17). Suspected DarkHotel APT activity update. Retrieved February 6, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.