APT Malware LOLBins & GTFOBins Attack users by Evading the Security Sysem February 2, 2019 https://gbhackers.com/apt-malware-lolbins-gtfobins-attack-users-by-evading-the-security-sysem/
As far as PowerShell execution via SyncAppPublishinServer.vbs, I am sure most by now are monitoring/blocking script execution. The question is if WD for example monitors signed script execution via Win 10 AMSI? As far as third party AV's, I don't believe script signing plans any part in the scanning of the script via AMSI. What the article didn't mention was that SyncAppPublishinServer.exe can likewise be employed to execute PowerShell commands. You can read about that here: https://safe-cyberdefense.com/malware-can-use-powershell-without-powershell-exe/ . Article also covers GitHub PowerShell facsimile that executes Powershell commands via .Net usage. So OSArmor users, check out if this is covered. -EDIT- Also, one should always check out these articles for accuracy. As far as SyncAppPublishinServer goes, neither the script or executable are present in the System32 directory on my Win 10 x(64) Home build. I did find them in the Servicing directory, C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.253.1.4\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.17763.194_none_4103f04b4dfa5f5a\f. Trying to run them from there resulted in a Win 10 blue popup stating they won't run on the Win 10 version I have. Appears App-V has to be first install and the PublishingServer configured via Win PowerShell: http://virtualvibes.co.uk/installin...-and-configuring-it-with-a-publishing-server/
It's funny that even the dlls that are listed here https://lolbas-project.github.io are only listed because of them being usable with rundll32, which is, guess what, an executable, and we know what happens when an executable goes against a properly configured anti-exe, that is, not automatically allowing stuff
I checked for the executable on Pro and Enterprise, Win10 x64 1809 , and I didn't find it in System32 directory.
of course you won't find it, it is a PoSh cmdlet... https://docs.microsoft.com/en-us/po...lient/sync-appvpublishingserver?view=win10-ps
Prior to this, you would first have to: Again, App-V must be installed. -EDIT- World Wide Web Publishing service is not installed by default on any Win client OS version. It should never be installed unless a need to interface with a local web server is required.
Hunting for LoLBins November 13, 2019 https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html
Building a bypass with MSBuild Living-off-the-land binaries (LoLBins) continue to pose a risk to security defenders February 18, 2020 https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html
Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution December 28, 2021 SANS Internet Storm Center (ISC): Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons
