Visual Studio NodejsTools PressAnyKey Renamed Execution
Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
Sigma rule (View on GitHub)
1title: Visual Studio NodejsTools PressAnyKey Renamed Execution
2id: 65c3ca2c-525f-4ced-968e-246a713d164f
3related:
4 - id: a20391f8-76fb-437b-abc0-dba2df1952c6
5 type: similar
6status: test
7description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
8references:
9 - https://twitter.com/mrd0x/status/1463526834918854661
10 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
11author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
12date: 2023-04-11
13tags:
14 - attack.execution
15 - attack.defense-evasion
16 - attack.t1218
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 OriginalFileName: 'Microsoft.NodejsTools.PressAnyKey.exe'
23 filter_main_legit_name:
24 Image|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unknown
28level: medium
References
-
VisualStudio NodejsTools PressAnyKey Arbitrary Binary Execution - Microsoft.NodejsTools.PressAnyKey.md
Read More
Related rules
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Created Files by Microsoft Sync Center