Potential Process Injection Via Msra.EXE

calendar Oct 23, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1055  ·
Share on: linkedin copy

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

Sigma rule (View on GitHub)

 1title: Potential Process Injection Via Msra.EXE
 2id: 744a188b-0415-4792-896f-11ddb0588dbc
 3status: test
 4description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
 5references:
 6    - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
 7    - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
 8author: Alexander McDonald
 9date: 2022-06-24
10modified: 2023-02-03
11tags:
12    - attack.privilege-escalation
13    - attack.defense-evasion
14    - attack.t1055
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage|endswith: '\msra.exe'
21        ParentCommandLine|endswith: 'msra.exe'
22        Image|endswith:
23            - '\arp.exe'
24            - '\cmd.exe'
25            - '\net.exe'
26            - '\netstat.exe'
27            - '\nslookup.exe'
28            - '\route.exe'
29            - '\schtasks.exe'
30            - '\whoami.exe'
31    condition: selection
32falsepositives:
33    - Legitimate use of Msra.exe
34level: high

References

Related rules

to-top