Detectionmediumtest

SyncAppvPublishingServer Execution to Bypass Powershell Restriction

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ensar Şamil, OSCD CommunityCreated Mon Oct 05Updated Sun Dec 25dddfebae-c46f-439c-af7a-fdb6bde90218windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: 'SyncAppvPublishingServer.exe'
    condition: selection

False Positives

App-V clients

References

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Related Rules

Derived

fde7929d-8beb-4a4c-b922-be9974671667

Rule not found

Derived

9f7aa113-9da6-4a8d-907c-5f1a4b908299

Rule not found

Rule Metadata

Rule ID

dddfebae-c46f-439c-af7a-fdb6bde90218

Status

test

Level

medium

Type

Detection

Created

Mon Oct 05

Modified

Sun Dec 25

Author

Ensar Şamil, OSCD Community

Path

rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub