security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

29 lines
1001 B
YAML
Raw Blame History

title: Visual Studio NodejsTools PressAnyKey Renamed Execution
id: 65c3ca2c-525f-4ced-968e-246a713d164f
related:
- id: a20391f8-76fb-437b-abc0-dba2df1952c6
type: similar
status: test
description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
references:
- https://twitter.com/mrd0x/status/1463526834918854661
- https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-11
tags:
- attack.execution
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'Microsoft.NodejsTools.PressAnyKey.exe'
filter_main_legit_name:
Image|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink