wsmprovhost.exe Rare Child Process

The Cortex XDR – Analytics wsmprovhost.exe Rare Child Process alert indicates a remote WMI command executed a binary proxy, wsmprovhost.exe, which executed a rare child process. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

Synopsis

10 minutes.
3 days.
14 days.
10 minutes.
Traps endpoint data.
Lateral movement.

Description

The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.

Related Documentation