detection.wiki

Detection rules › Sigma

Potential Process Injection Via Msra.EXE

Severity
high
Author
Alexander McDonald
Source
upstream

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055 Process Injection
Defense EvasionT1055 Process Injection

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\arp.exe'
Image|endswith: '\cmd.exe'
Image|endswith: '\net.exe'
Image|endswith: '\netstat.exe'
Image|endswith: '\nslookup.exe'
Image|endswith: '\route.exe'
Image|endswith: '\schtasks.exe'
Image|endswith: '\whoami.exe'
ParentCommandLine|endswith: msra.exe
ParentImage|endswith: '\msra.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \arp.exe corpus 3 (sigma 3)
  • \cmd.exe corpus 92 (sigma 92)
  • \net.exe corpus 27 (sigma 27)
  • \netstat.exe corpus 5 (sigma 5)
  • \nslookup.exe corpus 4 (sigma 4)
  • \route.exe
  • \schtasks.exe corpus 45 (sigma 45)
  • \whoami.exe corpus 18 (sigma 18)
ParentCommandLineends_with
  • msra.exe
ParentImageends_with
  • \msra.exe