Techniques
Sample rules
Potential Process Injection Via Msra.EXE
- source: sigma
- technicques:
- t1055
Description
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
Detection logic
condition: selection
selection:
Image|endswith:
- \arp.exe
- \cmd.exe
- \net.exe
- \netstat.exe
- \nslookup.exe
- \route.exe
- \schtasks.exe
- \whoami.exe
ParentCommandLine|endswith: msra.exe
ParentImage|endswith: \msra.exe