Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Sigma rule (View on GitHub)
1title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
2id: a20391f8-76fb-437b-abc0-dba2df1952c6
3related:
4 - id: 65c3ca2c-525f-4ced-968e-246a713d164f
5 type: similar
6status: test
7description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
8references:
9 - https://twitter.com/mrd0x/status/1463526834918854661
10 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2022-01-11
13modified: 2023-04-11
14tags:
15 - attack.execution
16 - attack.defense-evasion
17 - attack.t1218
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
24 condition: selection
25falsepositives:
26 - Legitimate use by developers as part of NodeJS development with Visual Studio Tools
27level: medium
References
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Binary Proxy Execution Via Dotnet-Trace.EXE