LOLBAS/yml/OtherMSBinaries/Devtoolslauncher.yml

34 lines
1.4 KiB
YAML
Raw Normal View History

2019-10-04 05:59:59 +02:00
---
Name: Devtoolslauncher.exe
2019-10-04 05:59:59 +02:00
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: 'felamos'
Created: 2019-10-04
2019-10-04 05:59:59 +02:00
Commands:
- Command: devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] "argument here" test
Description: The above binary will execute other binary.
2019-10-04 06:50:38 +02:00
Usecase: Execute any binary with given arguments and it will call developertoolssvc.exe. developertoolssvc is actually executing the binary. https://i.imgur.com/Go7rc0I.png
2019-10-04 05:59:59 +02:00
Category: Execute
Privileges: User
MitreID: T1127
2019-10-04 05:59:59 +02:00
OperatingSystem: Windows 7 and up with VS/VScode installed
- Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
Description: The above binary will execute other binary.
Usecase: Execute any binary with given arguments.
Category: Execute
Privileges: User
MitreID: T1127
2019-10-04 05:59:59 +02:00
OperatingSystem: Windows 7 and up with VS/VScode installed
Full_Path:
- Path: 'c:\windows\system32\devtoolslauncher.exe'
2019-10-04 06:50:38 +02:00
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_devtoolslauncher.yml
2019-10-07 08:45:47 +02:00
- IOC: DeveloperToolsSvc.exe spawned an unknown process
2019-10-04 05:59:59 +02:00
Resources:
- Link: https://twitter.com/_felamos/status/1179811992841797632
Acknowledgement:
- Person: felamos
Handle: '@_felamos'
---