2019-10-04 05:59:59 +02:00
---
2019-10-07 23:55:44 +02:00
Name : Devtoolslauncher.exe
2019-10-04 05:59:59 +02:00
Description : Binary will execute specified binary. Part of VS/VScode installation.
Author : 'felamos'
2021-01-10 16:04:52 +01:00
Created : 2019-10-04
2019-10-04 05:59:59 +02:00
Commands :
- Command : devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] "argument here" test
Description : The above binary will execute other binary.
2019-10-04 06:50:38 +02:00
Usecase : Execute any binary with given arguments and it will call developertoolssvc.exe. developertoolssvc is actually executing the binary. https://i.imgur.com/Go7rc0I.png
2019-10-04 05:59:59 +02:00
Category : Execute
Privileges : User
2021-11-05 21:06:57 +01:00
MitreID : T1127
2019-10-04 05:59:59 +02:00
OperatingSystem : Windows 7 and up with VS/VScode installed
- Command : devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
Description : The above binary will execute other binary.
Usecase : Execute any binary with given arguments.
Category : Execute
Privileges : User
2021-11-05 21:06:57 +01:00
MitreID : T1127
2019-10-04 05:59:59 +02:00
OperatingSystem : Windows 7 and up with VS/VScode installed
Full_Path :
- Path : 'c:\windows\system32\devtoolslauncher.exe'
2019-10-04 06:50:38 +02:00
Code_Sample :
- Code :
2021-01-10 16:04:52 +01:00
Detection :
2021-11-15 14:19:03 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_devtoolslauncher.yml
2019-10-07 08:45:47 +02:00
- IOC : DeveloperToolsSvc.exe spawned an unknown process
2019-10-04 05:59:59 +02:00
Resources :
- Link : https://twitter.com/_felamos/status/1179811992841797632
Acknowledgement :
- Person : felamos
Handle : '@_felamos'
---