← Back to Explore
sigmahighHunting
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
Detection Query
selection:
ParentImage|endswith: \wsmprovhost.exe
Image|endswith:
- \cmd.exe
- \sh.exe
- \bash.exe
- \powershell.exe
- \pwsh.exe
- \wsl.exe
- \schtasks.exe
- \certutil.exe
- \whoami.exe
- \bitsadmin.exe
condition: selection
Author
Andreas Hunkeler (@Karneades), Markus Neis
Created
2021-05-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.t1190attack.initial-accessattack.persistenceattack.privilege-escalation
Raw Content
title: Suspicious Processes Spawned by WinRM
id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
status: test
description: Detects suspicious processes including shells spawnd from WinRM host process
author: Andreas Hunkeler (@Karneades), Markus Neis
references:
- Internal Research
date: 2021-05-20
modified: 2022-07-14
tags:
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wsmprovhost.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
condition: selection
falsepositives:
- Legitimate WinRM usage
level: high