DET0440 Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse

Item	Value
ID	DET0440
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1216.002 (SyncAppvPublishingServer)

Analytics

Windows

AN1220

Execution of SyncAppvPublishingServer.vbs through wscript.exe with a command-line containing embedded PowerShell, proxying malicious PowerShell execution through a Microsoft-signed VBScript interpreter to evade detection and restrictions.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10

Mutable Elements

Field	Description
CommandLineRegex	Detects embedded PowerShell commands in SyncAppvPublishingServer.vbs invocation, e.g., `{powershell -nop -enc ...}`
ScriptInterpreter	May vary between `wscript.exe`, `cscript.exe`, or called via `cmd.exe`
PowerShellObfuscationScore	Used to detect encoding, obfuscation, or entropy level in embedded PowerShell payloads
TimeWindow	Time delta between VBScript proxy invocation and PowerShell payload execution