From 48ed8f79142b7f18c04741bc48aebc7ab94fb9bb Mon Sep 17 00:00:00 2001
From: Ayush Sahay <47629256+felamos@users.noreply.github.com>
Date: Fri, 4 Oct 2019 09:29:59 +0530
Subject: [PATCH] Create devtoolslauncher.yml

---
 yml/OtherMSBinaries/devtoolslauncher.yml | 32 ++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 yml/OtherMSBinaries/devtoolslauncher.yml

diff --git a/yml/OtherMSBinaries/devtoolslauncher.yml b/yml/OtherMSBinaries/devtoolslauncher.yml
new file mode 100644
index 0000000..3aadc96
--- /dev/null
+++ b/yml/OtherMSBinaries/devtoolslauncher.yml
@@ -0,0 +1,32 @@
+---
+Name: devtoolslauncher.exe
+Description: Binary will execute specified binary. Part of VS/VScode installation.
+Author: 'felamos'
+Created: '2019-10-04'
+Commands:
+  - Command: devtoolslauncher.exe LaunchForDeploy [PATH_TO_BIN] "argument here" test
+    Description: The above binary will execute other binary.
+    Usecase: Execute any binary with given arguments.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with VS/VScode installed
+  - Command: devtoolslauncher.exe LaunchForDebug [PATH_TO_BIN] "argument here" test
+    Description: The above binary will execute other binary.
+    Usecase: Execute any binary with given arguments.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 7 and up with VS/VScode installed
+Full_Path:
+  - Path: 'c:\windows\system32\devtoolslauncher.exe'
+Detection: 
+  - IOC: devtoolslauncher.exe spawned an unknown process
+Resources:
+  - Link: https://twitter.com/_felamos/status/1179811992841797632
+Acknowledgement:
+  - Person: felamos
+    Handle: '@_felamos'
+---