Suspicious WSMAN Provider Image Loads
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "sa_imageloaded" AND ((OBJECTNAME endswith "\WsmSvc.dll,\WsmAuto.dll,\Microsoft.WSMan.Management.ni.dll" OR ORIGINALFILENAME = "WsmSvc.dll,WSMANAUTOMATION.DLL,Microsoft.WSMan.Management.dll") OR (PROCESSNAME endswith "\svchost.exe" AND ORIGINALFILENAME = "WsmWmiPl.dll")) AND (PROCESSNAME notendswith "\powershell.exe,C:\Windows\System32\sdiagnhost.exe,C:\Windows\System32\services.exe" AND COMMANDLINE notcontains "svchost.exe -k netsvcs -p -s BITS,svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc,svchost.exe -k NetworkService -p -s Wecsvc,svchost.exe -k netsvcs" AND (PROCESSNAME notstartswith "C:\Windows\Microsoft.NET\Framework64\v,C:\Windows\Microsoft.NET\Framework\v,C:\Windows\Microsoft.NET\FrameworkArm\v,C:\Windows\Microsoft.NET\FrameworkArm64\v" OR PROCESSNAME notendswith "\mscorsvw.exe") AND PROCESSNAME != "C:\Windows\System32\Configure-SMRemoting.exe,C:\Windows\System32\ServerManager.exe" AND PROCESSNAME notstartswith "C:\Windows\Temp\asgard2-agent" AND PROCESSNAME notstartswith "C:\Program Files\Citrix" AND PROCESSNAME notendswith "\powershell_ise.exe" AND PROCESSNAME notstartswith "C:\$WINDOWS.~BT\Sources") AND (PROCESSNAME notendswith "\svchost.exe" OR isExist(COMMANDLINE)) select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PRODUCT_NAME,Action1.OBJECTNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
