Execution of COM object via Xwizard
Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/20"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application
13programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to
14run a COM object created in registry to evade defensive counter measures.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Execution of COM object via Xwizard"
31references = [
32 "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
33 "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
34]
35risk_score = 47
36rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570"
37severity = "medium"
38tags = [
39 "Domain: Endpoint",
40 "OS: Windows",
41 "Use Case: Threat Detection",
42 "Tactic: Execution",
43 "Data Source: Elastic Endgame",
44 "Data Source: Elastic Defend",
45 "Data Source: System",
46 "Data Source: Microsoft Defender for Endpoint",
47 "Data Source: Sysmon",
48 "Data Source: SentinelOne",
49 "Data Source: Crowdstrike",
50 "Resources: Investigation Guide",
51]
52timestamp_override = "event.ingested"
53type = "eql"
54
55query = '''
56process where host.os.type == "windows" and event.type == "start" and
57 (process.name : "xwizard.exe" or ?process.pe.original_file_name : "xwizard.exe") and
58 (
59 (process.args : "RunWizard" and process.args : "{*}") or
60 (process.executable != null and
61 not process.executable : (
62 "C:\\Windows\\SysWOW64\\xwizard.exe",
63 "C:\\Windows\\System32\\xwizard.exe",
64 "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\xwizard.exe",
65 "\\Device\\HarddiskVolume?\\Windows\\System32\\xwizard.exe"
66 )
67 )
68 )
69'''
70note = """## Triage and analysis
71
72> **Disclaimer**:
73> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
74
75### Investigating Execution of COM object via Xwizard
76
77The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities.
78
79### Possible investigation steps
80
81- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields.
82- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity.
83- Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise.
84- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes.
85- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns.
86- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation.
87
88### False positive analysis
89
90- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments.
91- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths.
92- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations.
93- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list.
94
95### Response and remediation
96
97- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
98- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution.
99- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious.
100- Restore the system from a known good backup if unauthorized changes or persistent threats are detected.
101- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
102- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack.
103- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected."""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1559"
110name = "Inter-Process Communication"
111reference = "https://attack.mitre.org/techniques/T1559/"
112[[rule.threat.technique.subtechnique]]
113id = "T1559.001"
114name = "Component Object Model"
115reference = "https://attack.mitre.org/techniques/T1559/001/"
116
117
118
119[rule.threat.tactic]
120id = "TA0002"
121name = "Execution"
122reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Execution of COM object via Xwizard
The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities.
Possible investigation steps
- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields.
- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity.
- Verify the process.executable path to ensure it matches the expected system paths (C:\Windows\SysWOW64\xwizard.exe or C:\Windows\System32\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise.
- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes.
- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns.
- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation.
False positive analysis
- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments.
- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths.
- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations.
- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list.
Response and remediation
- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution.
- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious.
- Restore the system from a known good backup if unauthorized changes or persistent threats are detected.
- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack.
- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.
References
Related rules
- Command Execution via SolarWinds Process
- Control Panel Process with Unusual Arguments
- Enumeration Command Spawned via WMIPrvSE
- ImageLoad via Windows Update Auto Update Client
- Microsoft Build Engine Started by a System Process