
Summary
The rule `SyncAppvPublishingServer Execution` is designed to detect the execution of the Microsoft App-V binary `SyncAppvPublishingServer.exe`, often associated with adversarial behavior by threat groups such as APT28 (Fancy Bear, Tsar Team). This binary is typically utilized in Application Virtualization (App-V) to retrieve server lists. However, it has gained attention for its potential misuse as a living-off-the-land (LOLBAS) technique, allowing threat actors to execute PowerShell commands indirectly, thus evading traditional detection mechanisms. The rule employs a Splunk logic format to capture relevant events from Windows Event Logs, specifically Event ID 4688, which refers to process creation events. It filters for instances where the executable `SyncAppvPublishingServer.exe` or its script variant `SyncAppvPublishingServer.vbs` is invoked, collecting key fields such as timestamp, host, user, and process details, facilitating comprehensive monitoring of potentially suspicious activities. The technique variant is rooted in the defense evasion category, focusing on system binary proxy execution, categorized under MITRE ATT&CK technique T1218.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
- Process
- Application Log
- Logon Session
ATT&CK Techniques
- T1218
Created: 2024-02-09