Suspicious Non PowerShell WSMAN COM Provider

title: Suspicious Non PowerShell WSMAN COM Provider
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
status: test
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
references:
    - https://twitter.com/chadtilbury/status/1275851297770610688
    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
    - https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-22
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    product: windows
    service: powershell-classic
detection:
    selection:
        Data|contains: 'ProviderName=WSMan'
    filter_main_ps:
        Data|contains:
            - 'HostApplication=powershell'
            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            # In some cases powershell was invoked with inverted slashes
            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
    filter_main_host_application_null:
        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
        # If you're already mapping and extracting the field, then obviously use that directly.
        Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
    filter_optional_hexnode:
        Data|contains: 'HostApplication=C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium