Microsoft.NodejsTools.PressAnyKey.exe

Part of the NodeJS Visual Studio tools.

Paths

• C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
• C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe

Commands

Execute

Launch specified executable as a subprocess of Microsoft.NodejsTools.PressAnyKey.exe.

Use case: Spawn a new process via Microsoft.NodejsTools.PressAnyKey.exe.

Privileges: User

Microsoft.NodejsTools.PressAnyKey.exe normal 1 {PATH:.exe}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml

Resources

• https://twitter.com/mrd0x/status/1463526834918854661