Techniques
Sample rules
Windows System Script Proxy Execution Syncappvpublishingserver
- source: splunk
- technicques:
- T1216
- T1218
Description
The following analytic identifies the abuse of Syncappvpublishingserver.vbs, which is a native script on Windows that may be utilized to download remote files or perform privilege escalation.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("wscript.exe","cscript.exe") Processes.process="*syncappvpublishingserver.vbs*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_script_proxy_execution_syncappvpublishingserver_filter`