Potential Process Injection Via Msra.EXE

calendar Aug 12, 2024 · attack.defense-evasion attack.t1055  ·
Share on: linkedin copy

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

Sigma rule (View on GitHub)

 1title: Potential Process Injection Via Msra.EXE
 2id: 744a188b-0415-4792-896f-11ddb0588dbc
 3status: test
 4description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
 5references:
 6    - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
 7    - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
 8author: Alexander McDonald
 9date: 2022-06-24
10modified: 2023-02-03
11tags:
12    - attack.defense-evasion
13    - attack.t1055
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\msra.exe'
20        ParentCommandLine|endswith: 'msra.exe'
21        Image|endswith:
22            - '\arp.exe'
23            - '\cmd.exe'
24            - '\net.exe'
25            - '\netstat.exe'
26            - '\nslookup.exe'
27            - '\route.exe'
28            - '\schtasks.exe'
29            - '\whoami.exe'
30    condition: selection
31falsepositives:
32    - Legitimate use of Msra.exe
33level: high

References

Related rules

to-top