LoFP / false positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. filter as needed. adding a n; to the command-line arguments may help reduce any noise.

Techniques

• T1216
• T1218

Sample rules

Windows System Script Proxy Execution Syncappvpublishingserver

• source: splunk
• technicques:
  • T1216
  • T1218

Description

The following analytic detects the execution of Syncappvpublishingserver.vbs via wscript.exe or cscript.exe, which may indicate an attempt to download remote files or perform privilege escalation. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. Monitoring this activity is crucial as it can signify malicious use of a native Windows script for unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized file downloads or elevated privileges, posing a significant security risk.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("wscript.exe","cscript.exe") Processes.process="*syncappvpublishingserver.vbs*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_system_script_proxy_execution_syncappvpublishingserver_filter`