LoFP / legitimate use by developers as part of nodejs development with visual studio tools

Techniques

• t1218

Sample rules

Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution

• source: sigma
• technicques:
  • t1218

Description

Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

Detection logic

condition: selection
selection:
  ParentImage|endswith: \Microsoft.NodejsTools.PressAnyKey.exe