According to ATT&CK, PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe

For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost\> creates a remote PowerShell session.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Command and Scripting Interpreter PowerShell Execution Moderate
Remote Services Windows Remote Management Lateral Movement Moderate

D3FEND Techniques

ID Name
D3-PLA Process Lineage Analysis

Data Model References

Object Action Field
process create exe
process create parent_exe

Implementations

Pseudocode

process = search Process:Create
wsmprovhost = filter process where (exe == "wsmprovhost.exe" and parent_exe == "svchost.exe")

Eql, EQL native

EQL version of the above pseudocode.

process where subtype.create and
  (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")

Logpoint, LogPoint native

LogPoint version of the above pseudocode.

norm_id=WindowsSysmon event_id=1 image="*\wsmprovhost.exe" parent_image="*\svchost.exe"