Launch-VsDevShell.PS1 Proxy Execution

 1title: Launch-VsDevShell.PS1 Proxy Execution
 2id: 45d3a03d-f441-458c-8883-df101a3bb146
 3status: test
 4description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
 5references:
 6    - https://twitter.com/nas_bench/status/1535981653239255040
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/19
 9tags:
10    - attack.defense_evasion
11    - attack.t1216.001
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_script:
17        CommandLine|contains: 'Launch-VsDevShell.ps1'
18    selection_flags:
19        CommandLine|contains:
20            - 'VsWherePath '
21            - 'VsInstallationPath '
22    condition: all of selection_*
23falsepositives:
24    - Legitimate usage of the script by a developer
25level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Pubprn.vbs Proxy Execution
• AMSI Bypass Pattern Assembly GetType
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Created And Deleted Within A Close Time Frame