MITRE ATT&CK Technique
Description
Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv) The SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from `\System32` through the command line via `wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv) Adversaries may abuse SyncAppvPublishingServer.vbs to bypass [PowerShell](https://attack.mitre.org/techniques/T1059/001) execution restrictions and evade defensive counter measures by "living off the land."(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking `powershell.exe`.(Citation: 7 - appv) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands may be invoked using:(Citation: 5 - appv) `SyncAppvPublishingServer.vbs "n; {PowerShell}"`
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2024-02-06T16:20:41.647Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse SyncAppvPublishingServer.vbs to proxy '
'execution of malicious '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'commands. SyncAppvPublishingServer.vbs is a Visual Basic '
'script associated with how Windows virtualizes applications '
'(Microsoft Application Virtualization, or App-V).(Citation: 1 '
'- appv) For example, Windows may render Win32 applications to '
'users as virtual applications, allowing users to launch and '
'interact with them as if they were installed '
'locally.(Citation: 2 - appv)(Citation: 3 - appv)\n'
' \n'
'The SyncAppvPublishingServer.vbs script is legitimate, may be '
'signed by Microsoft, and is commonly executed from '
'`\\System32` through the command line via '
'`wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv)\n'
'\n'
'Adversaries may abuse SyncAppvPublishingServer.vbs to bypass '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'execution restrictions and evade defensive counter measures '
'by "living off the land."(Citation: 6 - appv)(Citation: 4 - '
'appv) Proxying execution may function as a trusted/signed '
'alternative to directly invoking `powershell.exe`.(Citation: '
'7 - appv)\n'
'\n'
'For example, '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'commands may be invoked using:(Citation: 5 - appv)\n'
'\n'
'`SyncAppvPublishingServer.vbs "n; {PowerShell}"`',
'external_references': [{'external_id': 'T1216.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1216/002'},
{'description': 'John Fokker. (2022, March 17). '
'Suspected DarkHotel APT activity '
'update. Retrieved February 6, 2024.',
'source_name': '4 - appv',
'url': 'https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/'},
{'description': 'Microsoft. (2022, November 3). '
'Getting started with App-V for '
'Windows client. Retrieved February '
'6, 2024.',
'source_name': '2 - appv',
'url': 'https://learn.microsoft.com/en-us/windows/application-management/app-v/appv-getting-started'},
{'description': 'Nick Landers, Casey Smith. (n.d.). '
'/Syncappvpublishingserver.vbs. '
'Retrieved February 6, 2024.',
'source_name': '5 - appv',
'url': 'https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/'},
{'description': 'Nick Landers. (2017, August 8). Need '
'a signed alternative to '
'Powershell.exe? '
'SyncAppvPublishingServer in Win10 '
'has got you covered.. Retrieved '
'September 12, 2024.',
'source_name': '7 - appv',
'url': 'https://x.com/monoxgas/status/895045566090010624'},
{'description': 'Raj Chandel. (2022, March 17). '
'Indirect Command Execution: Defense '
'Evasion (T1202). Retrieved February '
'6, 2024.',
'source_name': '3 - appv',
'url': 'https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/'},
{'description': 'SEONGSU PARK. (2022, December 27). '
'BlueNoroff introduces new methods '
'bypassing MoTW. Retrieved February '
'6, 2024.',
'source_name': '1 - appv',
'url': 'https://securelist.com/bluenoroff-methods-bypass-motw/108383/'},
{'description': 'Strontic. (n.d.). '
'SyncAppvPublishingServer.exe. '
'Retrieved February 6, 2024.',
'source_name': '6 - appv',
'url': 'https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html'}],
'id': 'attack-pattern--e6f19759-dde3-47fc-99cc-d9f5fa4ade60',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T23:13:55.573Z',
'name': 'SyncAppvPublishingServer',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Shaul Vilkomir-Preisman'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.0'}