Execution of COM object via Xwizard

  1[metadata]
  2creation_date = "2021/01/20"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application
 11programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to
 12run a COM object created in registry to evade defensive counter measures.
 13"""
 14from = "now-9m"
 15index = [
 16    "endgame-*",
 17    "logs-crowdstrike.fdr*",
 18    "logs-endpoint.events.process-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-system.security*",
 22    "logs-windows.forwarded*",
 23    "logs-windows.sysmon_operational-*",
 24    "winlogbeat-*",
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Execution of COM object via Xwizard"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating Execution of COM object via Xwizard
 35
 36The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities.
 37
 38### Possible investigation steps
 39
 40- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields.
 41- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity.
 42- Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise.
 43- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes.
 44- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns.
 45- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation.
 46
 47### False positive analysis
 48
 49- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments.
 50- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths.
 51- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations.
 52- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list.
 53
 54### Response and remediation
 55
 56- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
 57- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution.
 58- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious.
 59- Restore the system from a known good backup if unauthorized changes or persistent threats are detected.
 60- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 61- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack.
 62- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected."""
 63references = [
 64    "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
 65    "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
 66]
 67risk_score = 47
 68rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570"
 69severity = "medium"
 70tags = [
 71    "Domain: Endpoint",
 72    "OS: Windows",
 73    "Use Case: Threat Detection",
 74    "Tactic: Execution",
 75    "Data Source: Elastic Endgame",
 76    "Data Source: Elastic Defend",
 77    "Data Source: Windows Security Event Logs",
 78    "Data Source: Microsoft Defender for Endpoint",
 79    "Data Source: Sysmon",
 80    "Data Source: SentinelOne",
 81    "Data Source: Crowdstrike",
 82    "Resources: Investigation Guide",
 83]
 84timestamp_override = "event.ingested"
 85type = "eql"
 86
 87query = '''
 88process where host.os.type == "windows" and event.type == "start" and
 89 (process.name : "xwizard.exe" or ?process.pe.original_file_name : "xwizard.exe") and
 90 (
 91   (process.args : "RunWizard" and process.args : "{*}") or
 92   (process.executable != null and
 93     not process.executable : (
 94        "C:\\Windows\\SysWOW64\\xwizard.exe",
 95        "C:\\Windows\\System32\\xwizard.exe",
 96        "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\xwizard.exe",
 97        "\\Device\\HarddiskVolume?\\Windows\\System32\\xwizard.exe"
 98     )
 99   )
100 )
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1559"
108name = "Inter-Process Communication"
109reference = "https://attack.mitre.org/techniques/T1559/"
110[[rule.threat.technique.subtechnique]]
111id = "T1559.001"
112name = "Component Object Model"
113reference = "https://attack.mitre.org/techniques/T1559/001/"
114
115
116
117[rule.threat.tactic]
118id = "TA0002"
119name = "Execution"
120reference = "https://attack.mitre.org/tactics/TA0002/"