wsmprovhost.exe
- File Path:
C:\WINDOWS\SysWOW64\wsmprovhost.exe - Description: Host process for WinRM plug-ins
Hashes
| Type | Hash |
|---|---|
| MD5 | E161021A63AD2CA0F693709616C5157C |
| SHA1 | F52F6152708C4F75CFFFB93516190584DF149CD6 |
| SHA256 | 7445CFE07AC4E29F8A7393F985F1109FE118E6DACC00F7BE245A670B3CE8A592 |
| SHA384 | 5AAB1DE5313D870192C579D2CCF49EFD682989F639DC6B2E1B3174719A7FA10DD5AA3E90D0F2210D9880D2B72B3E289C |
| SHA512 | B08AB4DFA8D3F1D625510C463B0F05B3911380F867D66F0D5C106A2A5C190182D4AD23379427C49136342C8FBC789E5636B4EADDCE2151BB268D3D3F34498523 |
| SSDEEP | 384:rWsKmx9ggrM3uaB92+qaNlUq2I7RrzAbrMlpmsKW6KCmnbxiOCOW7VfWrZ1Le:ilU9fSpqaNt7NH5msKWpxn9i9h+ |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: wsmprovhost.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.18362.693 (WinBuild.160101.0800)
- Product Version: 10.0.18362.693
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\SysWOW64\wsmprovhost.exe | 54 |
| C:\Windows\SysWOW64\wsmprovhost.exe | 52 |
Possible Misuse
The following table contains possible examples of wsmprovhost.exe being misused. While wsmprovhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_in_memory_powershell.yml | - '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | pipe_created_alternate_powershell_hosts_pipe.yml | - '\WINDOWS\System32\wsmprovhost.exe' |
DRL 1.0 |
| sigma | pipe_created_susp_adfs_namedpipe_connection.yml | - '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | posh_pc_remote_powershell_session.yml | HostApplication\|contains: 'wsmprovhost.exe' |
DRL 1.0 |
| sigma | posh_pm_remote_powershell_session.yml | - 'wsmprovhost.exe' # HostApplication\|contains: 'wsmprovhost.exe' french Application hôte = |
DRL 1.0 |
| sigma | proc_access_win_mimikatz_trough_winrm.yml | description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
DRL 1.0 |
| sigma | proc_access_win_mimikatz_trough_winrm.yml | SourceImage: 'C:\Windows\system32\wsmprovhost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_remote_powershell_session_process.yml | description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). |
DRL 1.0 |
| sigma | proc_creation_win_remote_powershell_session_process.yml | - Image\|endswith: '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_remote_powershell_session_process.yml | - ParentImage\|endswith: '\wsmprovhost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_from_winrm.yml | ParentImage: '*\wsmprovhost.exe' |
DRL 1.0 |
MIT License. Copyright (c) 2020-2021 Strontic.