Suspicious WSMAN Provider Image Loads
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Sigma rule (View on GitHub)
1title: Suspicious WSMAN Provider Image Loads
2id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
3status: test
4description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
5references:
6 - https://twitter.com/chadtilbury/status/1275851297770610688
7 - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
8 - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
9 - https://github.com/bohops/WSMan-WinRM
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020-06-24
12modified: 2025-02-26
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.lateral-movement
17 - attack.t1021.003
18logsource:
19 category: image_load
20 product: windows
21detection:
22 request_client:
23 - ImageLoaded|endswith:
24 - '\WsmSvc.dll'
25 - '\WsmAuto.dll'
26 - '\Microsoft.WSMan.Management.ni.dll'
27 - OriginalFileName:
28 - 'WsmSvc.dll'
29 - 'WSMANAUTOMATION.DLL'
30 - 'Microsoft.WSMan.Management.dll'
31 respond_server:
32 Image|endswith: '\svchost.exe'
33 OriginalFileName: 'WsmWmiPl.dll'
34 filter_general:
35 Image|endswith:
36 - '\powershell.exe'
37 - 'C:\Windows\System32\sdiagnhost.exe'
38 - 'C:\Windows\System32\services.exe'
39 filter_svchost: # not available in Sysmon data, but Aurora logs
40 CommandLine|contains:
41 - 'svchost.exe -k netsvcs -p -s BITS'
42 - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
43 - 'svchost.exe -k NetworkService -p -s Wecsvc'
44 - 'svchost.exe -k netsvcs'
45 filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
46 Image|startswith:
47 - 'C:\Windows\Microsoft.NET\Framework64\v'
48 - 'C:\Windows\Microsoft.NET\Framework\v'
49 - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
50 - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
51 Image|endswith: '\mscorsvw.exe'
52 filter_svr_2019:
53 Image:
54 - 'C:\Windows\System32\Configure-SMRemoting.exe'
55 - 'C:\Windows\System32\ServerManager.exe'
56 filter_nextron:
57 Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
58 filter_citrix:
59 Image|startswith: 'C:\Program Files\Citrix\'
60 filter_ps_ise:
61 Image|endswith: '\powershell_ise.exe'
62 filter_upgrade:
63 Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
64 svchost:
65 Image|endswith: '\svchost.exe'
66 commandline_null:
67 CommandLine: null
68 condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )
69falsepositives:
70 - Unknown
71level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Introduction Lateral movement techniques in the wonderful world of enterprise Windows are quite finite. There are only so many techniques and variations of those techniques that attackers use…
Read More -
The Windows Remote Management architecture consists of components on the client and server computers.
Read More -
A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object - bohops/WSMan-WinRM
Read More
Related rules
- Suspicious Non PowerShell WSMAN COM Provider
- MMC20 Lateral Movement
- Remote DCOM/WMI Lateral Movement
- Remote PowerShell Session Host Process (WinRM)
- HackTool - Potential Impacket Lateral Movement Activity