Merge pull request #3161 from alexmcdonald1124/msra-injection

Msra.exe process injection rule

rules/windows/process_creation/proc_creation_win_msra_process_injection.yml

@@ -0,0 +1,32 @@
+title: Msra.exe Process Injection
+id: 744a188b-0415-4792-896f-11ddb0588dbc
+status: experimental
+description: Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics
+author: Alexander McDonald
+date: 2022/06/24
+references:
+    - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
+    - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\msra.exe'
+        ParentCommandLine|endswith: 'msra.exe'
+        Image|endswith:
+            - '\arp.exe'
+            - '\cmd.exe'
+            - '\net.exe'
+            - '\netstat.exe'
+            - '\nslookup.exe'
+            - '\route.exe'
+            - '\schtasks.exe'
+            - '\whoami.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of Msra.exe
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1055