LoFP / app-v clients

Techniques

• t1218

Sample rules

SyncAppvPublishingServer Execute Arbitrary PowerShell Code

• source: sigma
• technicques:
  • t1218

Description

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: '"n; '
selection_img:
- Image|endswith: \SyncAppvPublishingServer.exe
- OriginalFileName: syncappvpublishingserver.exe

SyncAppvPublishingServer Bypass Powershell Restriction - PS Module

• source: sigma
• technicques:
  • t1218

Description

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Detection logic

condition: selection
selection:
  ContextInfo|contains: SyncAppvPublishingServer.exe

SyncAppvPublishingServer Execution to Bypass Powershell Restriction

• source: sigma
• technicques:
  • t1218

Description

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains: SyncAppvPublishingServer.exe