EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious WSMAN Provider Image Loads

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

MITRE ATT&CK

T1059.001T1021.003
executionlateral-movement

Detection Query

request_client:
  - ImageLoaded|endswith:
      - \WsmSvc.dll
      - \WsmAuto.dll
      - \Microsoft.WSMan.Management.ni.dll
  - OriginalFileName:
      - WsmSvc.dll
      - WSMANAUTOMATION.DLL
      - Microsoft.WSMan.Management.dll
respond_server:
  Image|endswith: \svchost.exe
  OriginalFileName: WsmWmiPl.dll
filter_general:
  Image:
    - C:\Program Files (x86)\PowerShell\6\pwsh.exe
    - C:\Program Files (x86)\PowerShell\7\pwsh.exe
    - C:\Program Files\PowerShell\6\pwsh.exe
    - C:\Program Files\PowerShell\7\pwsh.exe
    - C:\Windows\System32\sdiagnhost.exe
    - C:\Windows\System32\services.exe
    - C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
    - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
filter_svchost:
  CommandLine|contains:
    - svchost.exe -k netsvcs -p -s BITS
    - svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
    - svchost.exe -k NetworkService -p -s Wecsvc
    - svchost.exe -k netsvcs
filter_mscorsvw:
  Image|startswith:
    - C:\Windows\Microsoft.NET\Framework64\v
    - C:\Windows\Microsoft.NET\Framework\v
    - C:\Windows\Microsoft.NET\FrameworkArm\v
    - C:\Windows\Microsoft.NET\FrameworkArm64\v
  Image|endswith: \mscorsvw.exe
filter_svr_2019:
  Image:
    - C:\Windows\System32\Configure-SMRemoting.exe
    - C:\Windows\System32\ServerManager.exe
filter_nextron:
  Image|startswith: C:\Windows\Temp\asgard2-agent\
filter_citrix:
  Image|startswith: C:\Program Files\Citrix\
filter_upgrade:
  Image|startswith: C:\$WINDOWS.~BT\Sources\
filter_mmc:
  Image|endswith: \mmc.exe
svchost:
  Image|endswith: \svchost.exe
commandline_null:
  CommandLine: null
condition: ( request_client or respond_server ) and not 1 of filter* and not (
  svchost and commandline_null )

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Created

2020-06-24

Data Sources

windowsImage Load Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001attack.lateral-movementattack.t1021.003
Raw Content
title: Suspicious WSMAN Provider Image Loads
id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
status: test
description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
references:
    - https://twitter.com/chadtilbury/status/1275851297770610688
    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
    - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
    - https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-17
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: image_load
    product: windows
detection:
    request_client:
        - ImageLoaded|endswith:
              - '\WsmSvc.dll'
              - '\WsmAuto.dll'
              - '\Microsoft.WSMan.Management.ni.dll'
        - OriginalFileName:
              - 'WsmSvc.dll'
              - 'WSMANAUTOMATION.DLL'
              - 'Microsoft.WSMan.Management.dll'
    respond_server:
        Image|endswith: '\svchost.exe'
        OriginalFileName: 'WsmWmiPl.dll'
    filter_general:
        Image:
            - 'C:\Program Files (x86)\PowerShell\6\pwsh.exe'
            - 'C:\Program Files (x86)\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\6\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\sdiagnhost.exe'
            - 'C:\Windows\System32\services.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
    filter_svchost: # not available in Sysmon data, but Aurora logs
        CommandLine|contains:
            - 'svchost.exe -k netsvcs -p -s BITS'
            - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
            - 'svchost.exe -k NetworkService -p -s Wecsvc'
            - 'svchost.exe -k netsvcs'
    filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        Image|startswith:
            - 'C:\Windows\Microsoft.NET\Framework64\v'
            - 'C:\Windows\Microsoft.NET\Framework\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
        Image|endswith: '\mscorsvw.exe'
    filter_svr_2019:
        Image:
            - 'C:\Windows\System32\Configure-SMRemoting.exe'
            - 'C:\Windows\System32\ServerManager.exe'
    filter_nextron:
        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
    filter_citrix:
        Image|startswith: 'C:\Program Files\Citrix\'
    filter_upgrade:
        Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
    filter_mmc:
        Image|endswith: '\mmc.exe'
    svchost:
        Image|endswith: '\svchost.exe'
    commandline_null:
        CommandLine: null
    condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )
falsepositives:
    - Unknown
level: medium