Detectionmediumtest

SyncAppvPublishingServer Bypass Powershell Restriction - PS Module

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ensar Şamil, OSCD CommunityCreated Mon Oct 05Updated Fri Dec 02fe5ce7eb-dad8-467c-84a9-31ec23bd644awindows

Log Source

WindowsPowerShell Module

ProductWindows← raw: windows

CategoryPowerShell Module← raw: ps_module

Definition

0ad03ef1-f21b-4a79-8ce8-e6900c54b65b

Detection Logic

detection:
    selection:
        ContextInfo|contains: 'SyncAppvPublishingServer.exe'
    condition: selection

False Positives

App-V clients

References

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Related Rules

Derived

fde7929d-8beb-4a4c-b922-be9974671667

Rule not found

Derived

9f7aa113-9da6-4a8d-907c-5f1a4b908299

Rule not found

Rule Metadata

Rule ID

fe5ce7eb-dad8-467c-84a9-31ec23bd644a

Status

test

Level

medium

Type

Detection

Created

Mon Oct 05

Modified

Fri Dec 02

Author

Ensar Şamil, OSCD Community

Path

rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml

Raw Tags

attack.defense-evasionattack.t1218

View on GitHub