← Back to Explore
sigmamediumHunting
Visual Studio NodejsTools PressAnyKey Renamed Execution
Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
Detection Query
selection:
OriginalFileName: Microsoft.NodejsTools.PressAnyKey.exe
filter_main_legit_name:
Image|endswith: \Microsoft.NodejsTools.PressAnyKey.exe
condition: selection and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Created
2023-04-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.stealthattack.t1218
Raw Content
title: Visual Studio NodejsTools PressAnyKey Renamed Execution
id: 65c3ca2c-525f-4ced-968e-246a713d164f
related:
- id: a20391f8-76fb-437b-abc0-dba2df1952c6
type: similar
status: test
description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
references:
- https://twitter.com/mrd0x/status/1463526834918854661
- https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-11
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'Microsoft.NodejsTools.PressAnyKey.exe'
filter_main_legit_name:
Image|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium