wsmprovhost.exe

  • File Path: C:\Windows\SysWOW64\wsmprovhost.exe
  • Description: Host process for WinRM plug-ins

Hashes

Type Hash
MD5 7FF8C32DD798BAB05FA7B271C09153CA
SHA1 672360528E772E2E1B39D1EB893CAE73C0F17A88
SHA256 86965D84501F9C09AFE9A74963E8A0AB45B5033936F6C30D3CEEC32A4AB6F2BE
SHA384 EB0453BEE3E0025E964B5A3CFE5C7752AF9BC74A2DE3B8E9D39F163456739075E4A3CE79AEC9204E92D38AC2DC46229A
SHA512 AC812C3214EA5616DE8D7C74D2A5915EDF4E2353CC929D8B70FF0C8E3C30A0EC6D914D583497F34C5572E3B2A09A21870414DAD7C5E91925BE0E855F6D35BCA1
SSDEEP 768:yFCKVJxp8aWrk/gl6gzuVv+3HJhrJQL5dFSm1ZqnJUi/G:yYYjW/rk4RN3kv6nJUi/G

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wsmprovhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.3541 (rs1_release_inmarket.200218-2047)
  • Product Version: 10.0.14393.3541
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of wsmprovhost.exe being misused. While wsmprovhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\wsmprovhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\wsmprovhost.exe' DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\wsmprovhost.exe' DRL 1.0
sigma posh_pc_remote_powershell_session.yml HostApplication\|contains: 'wsmprovhost.exe' DRL 1.0
sigma posh_pm_remote_powershell_session.yml - 'wsmprovhost.exe' # HostApplication\|contains: 'wsmprovhost.exe' french Application hôte = DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml SourceImage: 'C:\Windows\system32\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - Image\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - ParentImage\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml ParentImage: '*\wsmprovhost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.