LOLBAS/yml/OSScripts/Launch-VsDevShell.yml

31 lines
1.4 KiB
YAML
Raw Normal View History

---
Name: Launch-VsDevShell.ps1
Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet
Author: 'Nasreddine Bencherchali'
Created: 2022-06-13
Commands:
- Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsWherePath "C:\windows\system32\calc.exe"'
Description: Execute binaries from the context of the signed script using the "VsWherePath" flag.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10, Windows 11
- Command: 'powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"'
Description: Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag.
Usecase: Proxy execution
Category: Execute
Privileges: User
MitreID: T1216
OperatingSystem: Windows 10, Windows 11
Full_Path:
- Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1
- Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml
Resources:
- Link: https://twitter.com/nas_bench/status/1535981653239255040
Acknowledgement:
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'