alert indicates a remote WMI command executed a binary proxy, wsmprovhost.exe,
which executed a rare child process. Executing a rare child process
can be an indication of remote code execution abuse by an attacker.
The PowerShell host wsmprovhost.exe
is a proxy process executed remotely through PowerShell when using
Windows Remote Management (WinRM). It has executed a rare child
process, which may indicate remote code execution abuse by an attacker.