T1216.002 SyncAppvPublishingServer Mappings

Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious PowerShell commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)

The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from \System32 through the command line via wscript.exe.(Citation: 4 - appv)(Citation: 5 - appv)

Adversaries may abuse SyncAppvPublishingServer.vbs to bypass PowerShell execution restrictions and evade defensive counter measures by "living off the land."(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking powershell.exe.(Citation: 7 - appv)

For example, PowerShell commands may be invoked using:(Citation: 5 - appv)

SyncAppvPublishingServer.vbs "n; {PowerShell}"

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1216.002 System Script Proxy Execution: SyncAppvPublishingServer

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_identity Cloud Identity technique_scores T1216.002 SyncAppvPublishingServer
Comments
The access controls in Cloud Identity, such as MFA, can help to prevent an adversary from accessing internal software such as SyncAppvPublishingServer, protecting customer data. However, if the adversary is able to access the system, Cloud Identity is not able to protect this data, leading to a score of partial.
References