wsmprovhost.exe Rare Child Process

The
wsmprovhost.exe Rare Child Process
Analytics alert indicates a remote WMI command executed a binary proxy, wsmprovhost.exe, which executed a rare child process. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

Synopsis

10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Severity
Low

Description

The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). It has executed a rare child process, which may indicate remote code execution abuse by an attacker.

Recommended For You