← Back to Explore
sigmahighHunting
Potential Process Injection Via Msra.EXE
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
Detection Query
selection:
ParentImage|endswith: \msra.exe
ParentCommandLine|endswith: msra.exe
Image|endswith:
- \arp.exe
- \cmd.exe
- \net.exe
- \netstat.exe
- \nslookup.exe
- \route.exe
- \schtasks.exe
- \whoami.exe
condition: selection
Author
Alexander McDonald
Created
2022-06-24
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.defense-evasionattack.t1055
Raw Content
title: Potential Process Injection Via Msra.EXE
id: 744a188b-0415-4792-896f-11ddb0588dbc
status: test
description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
references:
- https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
- https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
author: Alexander McDonald
date: 2022-06-24
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\msra.exe'
ParentCommandLine|endswith: 'msra.exe'
Image|endswith:
- '\arp.exe'
- '\cmd.exe'
- '\net.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\route.exe'
- '\schtasks.exe'
- '\whoami.exe'
condition: selection
falsepositives:
- Legitimate use of Msra.exe
level: high