Execution of COM object via Xwizard
Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/20"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application
13programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to
14run a COM object created in registry to evade defensive counter measures.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Execution of COM object via Xwizard"
31references = [
32 "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
33 "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
34]
35risk_score = 47
36rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570"
37severity = "medium"
38tags = [
39 "Domain: Endpoint",
40 "OS: Windows",
41 "Use Case: Threat Detection",
42 "Tactic: Execution",
43 "Data Source: Elastic Endgame",
44 "Data Source: Elastic Defend",
45 "Data Source: System",
46 "Data Source: Microsoft Defender for Endpoint",
47 "Data Source: Sysmon",
48 "Data Source: SentinelOne",
49 "Data Source: Crowdstrike",
50]
51timestamp_override = "event.ingested"
52type = "eql"
53
54query = '''
55process where host.os.type == "windows" and event.type == "start" and
56 (process.name : "xwizard.exe" or ?process.pe.original_file_name : "xwizard.exe") and
57 (
58 (process.args : "RunWizard" and process.args : "{*}") or
59 (process.executable != null and
60 not process.executable : (
61 "C:\\Windows\\SysWOW64\\xwizard.exe",
62 "C:\\Windows\\System32\\xwizard.exe",
63 "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\xwizard.exe",
64 "\\Device\\HarddiskVolume?\\Windows\\System32\\xwizard.exe"
65 )
66 )
67 )
68'''
69
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1559"
75name = "Inter-Process Communication"
76reference = "https://attack.mitre.org/techniques/T1559/"
77[[rule.threat.technique.subtechnique]]
78id = "T1559.001"
79name = "Component Object Model"
80reference = "https://attack.mitre.org/techniques/T1559/001/"
81
82
83
84[rule.threat.tactic]
85id = "TA0002"
86name = "Execution"
87reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Xwizard.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve. Why? When you run it with a ‘/h’ comma...
Read More
Related rules
- Persistence via WMI Event Subscription
- ScreenConnect Server Spawning Suspicious Processes
- Volume Shadow Copy Deletion via WMIC
- UAC Bypass via DiskCleanup Scheduled Task Hijack
- Web Shell Detection: Script Process Child of Common Web Processes