.. / Launch-VsDevShell.ps1
Star

Execute

Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet

Paths:

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1

Resources:

https://twitter.com/nas_bench/status/1535981653239255040

Acknowledgements:

Nasreddine Bencherchali (@nas_bench)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/6199a703221a98ae6ad343c79c558da375203e4e/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml

Execute

Execute binaries from the context of the signed script using the "VsWherePath" flag.

powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsWherePath "C:\windows\system32\calc.exe"

Usecase: Proxy execution
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1216

Execute binaries and commands from the context of the signed script using the "VsInstallationPath" flag.

powershell -ep RemoteSigned -f .\Launch-VsDevShell.ps1 -VsInstallationPath "/../../../../../; calc.exe ;"

Usecase: Proxy execution
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1216

.. / Launch-VsDevShell.ps1 Star

Execute

.. / Launch-VsDevShell.ps1
Star