Launch-VsDevShell.PS1 Proxy Execution
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
Sigma rule (View on GitHub)
1title: Launch-VsDevShell.PS1 Proxy Execution
2id: 45d3a03d-f441-458c-8883-df101a3bb146
3status: test
4description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
5references:
6 - https://twitter.com/nas_bench/status/1535981653239255040
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-19
9tags:
10 - attack.defense-evasion
11 - attack.t1216.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_script:
17 CommandLine|contains: 'Launch-VsDevShell.ps1'
18 selection_flags:
19 CommandLine|contains:
20 - 'VsWherePath '
21 - 'VsInstallationPath '
22 condition: all of selection_*
23falsepositives:
24 - Legitimate usage of the script by a developer
25level: medium
References
Related rules
- Pubprn.vbs Proxy Execution
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern