Techniques
Sample rules
Launch-VsDevShell.PS1 Proxy Execution
- source: sigma
- technicques:
- t1216
- t1216.001
Description
Detects the use of the ‘Launch-VsDevShell.ps1’ Microsoft signed script to execute commands.
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains:
- 'VsWherePath '
- 'VsInstallationPath '
selection_script:
CommandLine|contains: Launch-VsDevShell.ps1