wsmprovhost.exe
- File Path:
C:\Windows\system32\wsmprovhost.exe - Description: Host process for WinRM plug-ins
Hashes
| Type | Hash |
|---|---|
| MD5 | AB4AB98654635CABADB5F1A60BDA1C05 |
| SHA1 | 147FCAC6D6C4E2C397BAC2F1173F0183E05F6636 |
| SHA256 | 5FCCFF57D379CDC4CF6196FEF554CEF753B4C76DC315F371F90AEBF07B6A18C3 |
| SHA384 | C33DE3C6FE97F1D94B812EF408880EAD6F1C7D3E0F2C0F90DAF075205E735BC94EB456397D32BDEC4AC0E468C413536B |
| SHA512 | E2F23DE71037683A18457A2913439C54AB3E9FAE325DD17E2ED2FC78202073FCCA222F08BE3614F27F44A34F5E9AC9F44AE0FAFE11C2E4B558BD6B76EAB8B940 |
| SSDEEP | 768:m3YZGi6egGak3T7J8a+LONvhQ4XtbEuivwC:m3cVg6T7ia+LONvi4XREuivwC |
| IMP | 566283D9BC4787CDF98CCF90FD58FC2E |
| PESHA1 | EF20372AF1455A9608C31087C001517EA8A33419 |
| PE256 | 17EBAE4803DE14EC45E333AE7BFFE7874E28B49026E872C4797FE79B883C8175 |
Runtime Data
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\System32\en-US\user32.dll.mui | File |
| (RW-) C:\Users\user | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \RPC Control\DSECCD8 | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\advapi32.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\CRYPT32.dll |
| C:\Windows\system32\DSROLE.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\IMM32.DLL |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\system32\mi.dll |
| C:\Windows\system32\miutils.dll |
| C:\Windows\System32\MSASN1.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\system32\pcwum.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\user32.dll |
| C:\Windows\system32\uxtheme.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\system32\wsmprovhost.exe |
| C:\Windows\system32\WsmSvc.DLL |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: wsmprovhost.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/5fccff57d379cdc4cf6196fef554cef753b4c76dc315f371f90aebf07b6a18c3/detection/
Possible Misuse
The following table contains possible examples of wsmprovhost.exe being misused. While wsmprovhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_in_memory_powershell.yml | - '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | pipe_created_alternate_powershell_hosts_pipe.yml | - '\WINDOWS\System32\wsmprovhost.exe' |
DRL 1.0 |
| sigma | pipe_created_susp_adfs_namedpipe_connection.yml | - '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | posh_pc_remote_powershell_session.yml | HostApplication\|contains: 'wsmprovhost.exe' |
DRL 1.0 |
| sigma | posh_pm_remote_powershell_session.yml | - 'wsmprovhost.exe' # HostApplication\|contains: 'wsmprovhost.exe' french Application hôte = |
DRL 1.0 |
| sigma | proc_access_win_mimikatz_trough_winrm.yml | description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
DRL 1.0 |
| sigma | proc_access_win_mimikatz_trough_winrm.yml | SourceImage: 'C:\Windows\system32\wsmprovhost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_remote_powershell_session_process.yml | description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). |
DRL 1.0 |
| sigma | proc_creation_win_remote_powershell_session_process.yml | - Image\|endswith: '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_remote_powershell_session_process.yml | - ParentImage\|endswith: '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_from_winrm.yml | ParentImage: '*\wsmprovhost.exe' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.