Devtoolslauncher.exe Executes Specified Binary

 1title: Devtoolslauncher.exe Executes Specified Binary
 2id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
 3status: test
 4description: The Devtoolslauncher.exe executes other binary
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/
 7    - https://twitter.com/_felamos/status/1179811992841797632
 8author: Beyu Denis, oscd.community (rule), @_felamos (idea)
 9date: 2019-10-12
10modified: 2021-11-27
11tags:
12    - attack.defense-evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\devtoolslauncher.exe'
20        CommandLine|contains: 'LaunchForDeploy'
21    condition: selection
22falsepositives:
23    - Legitimate use of devtoolslauncher.exe by legitimate user
24level: high

References

• Devtoolslauncher on LOLBAS

  

  Devtoolslauncher.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• x.com

  
  Read More

Related rules

• Abusing Print Executable
• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Arbitrary File Download Via MSOHTMED.EXE