Suspicious WSMAN Provider Image Loads
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Sigma rule (View on GitHub)
1title: Suspicious WSMAN Provider Image Loads
2id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
3status: test
4description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
5references:
6 - https://twitter.com/chadtilbury/status/1275851297770610688
7 - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
8 - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
9 - https://github.com/bohops/WSMan-WinRM
10author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
11date: 2020-06-24
12modified: 2025-10-17
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.lateral-movement
17 - attack.t1021.003
18logsource:
19 category: image_load
20 product: windows
21detection:
22 request_client:
23 - ImageLoaded|endswith:
24 - '\WsmSvc.dll'
25 - '\WsmAuto.dll'
26 - '\Microsoft.WSMan.Management.ni.dll'
27 - OriginalFileName:
28 - 'WsmSvc.dll'
29 - 'WSMANAUTOMATION.DLL'
30 - 'Microsoft.WSMan.Management.dll'
31 respond_server:
32 Image|endswith: '\svchost.exe'
33 OriginalFileName: 'WsmWmiPl.dll'
34 filter_general:
35 Image:
36 - 'C:\Program Files (x86)\PowerShell\6\pwsh.exe'
37 - 'C:\Program Files (x86)\PowerShell\7\pwsh.exe'
38 - 'C:\Program Files\PowerShell\6\pwsh.exe'
39 - 'C:\Program Files\PowerShell\7\pwsh.exe'
40 - 'C:\Windows\System32\sdiagnhost.exe'
41 - 'C:\Windows\System32\services.exe'
42 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
43 - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
44 filter_svchost: # not available in Sysmon data, but Aurora logs
45 CommandLine|contains:
46 - 'svchost.exe -k netsvcs -p -s BITS'
47 - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
48 - 'svchost.exe -k NetworkService -p -s Wecsvc'
49 - 'svchost.exe -k netsvcs'
50 filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
51 Image|startswith:
52 - 'C:\Windows\Microsoft.NET\Framework64\v'
53 - 'C:\Windows\Microsoft.NET\Framework\v'
54 - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
55 - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
56 Image|endswith: '\mscorsvw.exe'
57 filter_svr_2019:
58 Image:
59 - 'C:\Windows\System32\Configure-SMRemoting.exe'
60 - 'C:\Windows\System32\ServerManager.exe'
61 filter_nextron:
62 Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
63 filter_citrix:
64 Image|startswith: 'C:\Program Files\Citrix\'
65 filter_upgrade:
66 Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
67 filter_mmc:
68 Image|endswith: '\mmc.exe'
69 svchost:
70 Image|endswith: '\svchost.exe'
71 commandline_null:
72 CommandLine: null
73 condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )
74falsepositives:
75 - Unknown
76level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Introduction Lateral movement techniques in the wonderful world of enterprise Windows are quite finite. There are only so many techniques and variations of those techniques that attackers use…
Read More -
The Windows Remote Management architecture consists of components on the client and server computers.
Read More -
A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object - bohops/WSMan-WinRM
Read More
Related rules
- MMC20 Lateral Movement
- Remote DCOM/WMI Lateral Movement
- Remote PowerShell Session Host Process (WinRM)
- HackTool - Potential Impacket Lateral Movement Activity
- Potential Remote PowerShell Session Initiated