wsmprovhost.exe

  • File Path: C:\Windows\system32\wsmprovhost.exe
  • Description: Host process for WinRM plug-ins

Hashes

Type Hash
MD5 EF274A94F0C8CAEB6D571912485AD1EB
SHA1 AF48C892767DF78DE3DCAAEFCA148ED5FF2406FB
SHA256 91D6A0097CE3B78B3982CC50C3C2851F6ED66BFC8757F872BB7A76A95DC4AF34
SHA384 4EDDA6235A84C5E81095E99112760E981A877015F51D3B9D5DB14E80464372DE8C6B05C24345F667C35EBB0954718E23
SHA512 D00690148025810140211E2D7B21B5BFC55822B224FC990F1F91C031D93426C53B3D2584CDE239C1A7885B5524EF062AF8571D4EC7A3F9C004563D55C006898E
SSDEEP 384:lKYYAGDVPibLECF9QAfokJr8msW5DTaCav6f31CoNHjJrk9gpW73fW:lA+jlwq8m1MCg6fFCotjJCgq

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wsmprovhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.3541 (rs1_release_inmarket.200218-2047)
  • Product Version: 10.0.14393.3541
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of wsmprovhost.exe being misused. While wsmprovhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\wsmprovhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\wsmprovhost.exe' DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\wsmprovhost.exe' DRL 1.0
sigma posh_pc_remote_powershell_session.yml HostApplication\|contains: 'wsmprovhost.exe' DRL 1.0
sigma posh_pm_remote_powershell_session.yml - 'wsmprovhost.exe' # HostApplication\|contains: 'wsmprovhost.exe' french Application hôte = DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml SourceImage: 'C:\Windows\system32\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - Image\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - ParentImage\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml ParentImage: '*\wsmprovhost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.