wmiprsve.exe Rare Child Process

The Cortex XDR – Analytics wmiprsve.exe Rare Child Process alert indicates a remote WMI command executed a binary proxy, wmiprvse.exe, which executed a rare child process. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

Synopsis

10 minutes.
3 days.
14 days.
10 minutes.
Traps endpoint data.
Lateral movement.

Description

A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child process. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

Related Documentation