Devtoolslauncher.exe Executes Specified Binary

About the rule

Rule Type

Standard

Rule Description

The Devtoolslauncher.exe executes other binary

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Payload delivery → DevTools abused → Binary execution → Privilege escalation → Persistence established

Impact

• Stealthy execution
• Defense evasion
• Privilege abuse
• Malware deployment

Rule Requirement

Prerequisites

• Using Windows event viewer:

To enable detailed audit logging, log in to a domain controller with domain admin credentials and open the Group Policy Management Console (GPMC). Create or modify a GPO linked to the relevant OU, and navigate to Detailed Tracking under Advanced Audit Policy Configuration. Enable Audit Process Creation and Audit Process Termination by checking the "Success" option in each. For enhanced visibility, enable “Include command line in process creation events” under Audit Process Creation in Administrative Templates, and ensure the relevant registry key is created under the Windows Security Auditing path.

• Using Sysmon:

To set up Sysmon for process creation monitoring, download and install it from Microsoft Sysinternals, and run the installer with admin privileges using a configuration file that includes <ProcessCreate> event filtering. Ensure all process creation events are captured, and create the required registry key under Microsoft-Windows-Sysmon/Operational if it doesn't already exist. This setup enhances visibility into process execution for security monitoring and threat detection.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

• Defense Evasion: System Binary Proxy Execution (T1218)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

1. NIST SP 800-53 SI-4 – System Monitoring

Requires continuous monitoring of systems to detect and respond to suspicious activities.
Triggering this rule enables visibility into unusual binary executions through devtoolslauncher.exe, helping detect unauthorized or suspicious behavior.

2. NIST SP 800-53 AC-2 – Account Management

Ensures only authorized users execute programs or access systems.
Triggering this rule helps identify misuse of developer tools by validating whether the binary execution is performed by an authorized account.

3. NIST SP 800-53 CM-6 – Configuration Settings

Mandates enforcement of security configuration settings for systems.
Triggering this rule highlights deviations from expected tool usage, allowing admins to realign system behavior with baseline configurations.

4. NIST SP 800-53 AU-6 – Audit Review, Analysis, and Reporting

Calls for timely review and analysis of audit records.
Triggering this rule ensures audit logs capture devtoolslauncher activity, aiding forensic analysis and compliance review.

5. NIST SP 800-171 3.1.7 – Prevent Non-Privileged Users from Executing Code

Limits code execution to privileged users to reduce attack surface.
Triggering this rule helps detect when binaries are launched via devtoolslauncher by non-privileged or unauthorized users.

Author

Beyu Denis, oscd.community (rule), @_felamos (idea)

Future actions

Known False Positives

This rule will be triggered when devtoolslauncher.exe is legitimately executed by an authorized user.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Containment: Isolate the affected host from the network to prevent further execution or lateral movement of potentially malicious binaries.
5. Eradication: Remove unauthorized or malicious binaries executed via devtoolslauncher.exe, and restore affected systems to a known good state.

Mitigation