← Back to SOC feed Coverage →

Suspicious WSMAN Provider Image Loads

sigma MEDIUM SigmaHQ
T1059.001T1021.003
DeviceImageLoadEvents
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Detection Rule

Sigma (Original)

title: Suspicious WSMAN Provider Image Loads
id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
status: test
description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
references:
    - https://twitter.com/chadtilbury/status/1275851297770610688
    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
    - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
    - https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-17
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: image_load
    product: windows
detection:
    request_client:
        - ImageLoaded|endswith:
              - '\WsmSvc.dll'
              - '\WsmAuto.dll'
              - '\Microsoft.WSMan.Management.ni.dll'
        - OriginalFileName:
              - 'WsmSvc.dll'
              - 'WSMANAUTOMATION.DLL'
              - 'Microsoft.WSMan.Management.dll'
    respond_server:
        Image|endswith: '\svchost.exe'
        OriginalFileName: 'WsmWmiPl.dll'
    filter_general:
        Image:
            - 'C:\Program Files (x86)\PowerShell\6\pwsh.exe'
            - 'C:\Program Files (x86)\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\6\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\sdiagnhost.exe'
            - 'C:\Windows\System32\services.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
    filter_svchost: # not available in Sysmon data, but Aurora logs
        CommandLine|contains:
            - 'svchost.exe -k netsvcs -p -s BITS'
            - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
            - 'svchost.exe -k NetworkService -p -s Wecsvc'
            - 'svchost.exe -k netsvcs'
    filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        Image|startswith:
            - 'C:\Windows\Microsoft.NET\Framework64\v'
            - 'C:\Windows\Microsoft.NET\Framework\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
        Image|endswith: '\mscorsvw.exe'
    filter_svr_2019:
        Image:
            - 'C:\Windows\System32\Configure-SMRemoting.exe'
            - 'C:\Windows\System32\ServerManager.exe'
    filter_nextron:
        Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
    filter_citrix:
        Image|startswith: 'C:\Program Files\Citrix\'
    filter_upgrade:
        Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
    filter_mmc:
        Image|endswith: '\mmc.exe'
    svchost:
        Image|endswith: '\svchost.exe'
    commandline_null:
        CommandLine: null
    condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )
falsepositives:
    - Unknown
level: medium

KQL (Microsoft 365 Defender)

DeviceImageLoadEvents
| where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\PowerShell\\6\\pwsh.exe", "C:\\Program Files (x86)\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\6\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\services.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")) or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or ((InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v") and InitiatingProcessFolderPath endswith "\\mscorsvw.exe") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\" or InitiatingProcessFolderPath endswith "\\mmc.exe"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine))))

Required Data Sources

Sentinel TableNotes
DeviceImageLoadEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml