Jump to content

Injection into trusted process -- Detections


tgr
Go to solution Solved by itman,

Recommended Posts

Hello

We have the following Detections time to time:

Detection: Injection into trusted process

Triggering process: excel.exe

Event: CodeInjection msrdc.exe

The Triggering process can also be outlook.exe or winword.exe.

But we don't understand how these detections are triggered.

The msrdc.exe process has a connection to the local WSL (Windows Subsystem Linux). But why does it generate these detections  when an Excel file is opened or an Outlook mail is opened?
WSL runs in the background and actually has nothing to do with this.

Can you help me please?

 

Thanks!

 

Link to comment
Share on other sites

  • Solution

First, what is msrdc.exe;

Quote

MSRDC.exe is a process belonging to the Microsoft Remote Desktop Connection software.

It's responsible for allowing users to remotely connect to other computers or virtual machines. This tool enables users to access and control a remote desktop over a network connection. It is commonly used in business and enterprise environments to provide IT support, work remotely, and access resources on a main office network.

https://spyshelter.com/exe/microsoft-corporation-msrdc-exe

Appears MS Office apps are trying to modify RDP to establish a remote connection to something? Doesn't appear to be legit activity to me.

Link to comment
Share on other sites

So there are also other process (for example visual studio code)  who triggering this detection.

So you mean something is not as it should be?

 

Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)
1 hour ago, tgr said:

So there are also other process (for example visual studio code)  who triggering this detection.

So you mean something is not as it should be?

 

Is your office cracked? If it is then I would get rid of it personally

as ITMAN said MSRDC is RDP , if you put msrdc in Run command , it will open the Remote Desktop Connection Window

Edited by Nightowl
Link to comment
Share on other sites

Ok I think it has something to do with WSL. When it is open as terminal then these detections are generated. When the WSL terminal is closed, the no detections are generated.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...