This analytic rule detects instances of Microsoft Remote Assistance (msra.exe) spawning either PowerShell.exe or cmd.exe as a child process. It employs EDR data to focus on process creation events, specifically looking for occurrences where msra.exe acts as the parent process. Notably, msra.exe does not normally spawn command-line interfaces, and this behavior might indicate potential process injection or misuse, representing a significant security threat. If malicious, this technique could allow an attacker to execute arbitrary commands, elevate privileges, or establish persistence on a compromised system. The rule makes use of data sources such as Sysmon EventID 1 and Windows Event Log Security 4688 to identify these suspicious activities accurately.