Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Suspicious WSMAN Provider Image Loads
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Suspicious WSMAN Provider Image Loads
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious WSMAN Provider Image Loads
id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
status: test
description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
- https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-17
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.003
logsource:
category: image_load
product: windows
detection:
request_client:
- ImageLoaded|endswith:
- '\WsmSvc.dll'
- '\WsmAuto.dll'
- '\Microsoft.WSMan.Management.ni.dll'
- OriginalFileName:
- 'WsmSvc.dll'
- 'WSMANAUTOMATION.DLL'
- 'Microsoft.WSMan.Management.dll'
respond_server:
Image|endswith: '\svchost.exe'
OriginalFileName: 'WsmWmiPl.dll'
filter_general:
Image:
- 'C:\Program Files (x86)\PowerShell\6\pwsh.exe'
- 'C:\Program Files (x86)\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\6\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\sdiagnhost.exe'
- 'C:\Windows\System32\services.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
filter_svchost: # not available in Sysmon data, but Aurora logs
CommandLine|contains:
- 'svchost.exe -k netsvcs -p -s BITS'
- 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
- 'svchost.exe -k NetworkService -p -s Wecsvc'
- 'svchost.exe -k netsvcs'
filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Image|startswith:
- 'C:\Windows\Microsoft.NET\Framework64\v'
- 'C:\Windows\Microsoft.NET\Framework\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
Image|endswith: '\mscorsvw.exe'
filter_svr_2019:
Image:
- 'C:\Windows\System32\Configure-SMRemoting.exe'
- 'C:\Windows\System32\ServerManager.exe'
filter_nextron:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
filter_citrix:
Image|startswith: 'C:\Program Files\Citrix\'
filter_upgrade:
Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
filter_mmc:
Image|endswith: '\mmc.exe'
svchost:
Image|endswith: '\svchost.exe'
commandline_null:
CommandLine: null
condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )
falsepositives:
- Unknown
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/image_load/image_load_wsman_provider_image_load.yml