Execution of COM object via Xwizard

Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/01/20"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application
 13programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to
 14run a COM object created in registry to evade defensive counter measures.
 15"""
 16from = "now-9m"
 17index = [
 18    "winlogbeat-*",
 19    "logs-endpoint.events.process-*",
 20    "logs-windows.forwarded*",
 21    "logs-windows.sysmon_operational-*",
 22    "endgame-*",
 23    "logs-system.security*",
 24    "logs-m365_defender.event-*",
 25    "logs-sentinel_one_cloud_funnel.*",
 26    "logs-crowdstrike.fdr*",
 27]
 28language = "eql"
 29license = "Elastic License v2"
 30name = "Execution of COM object via Xwizard"
 31references = [
 32    "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
 33    "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
 34]
 35risk_score = 47
 36rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570"
 37severity = "medium"
 38tags = [
 39    "Domain: Endpoint",
 40    "OS: Windows",
 41    "Use Case: Threat Detection",
 42    "Tactic: Execution",
 43    "Data Source: Elastic Endgame",
 44    "Data Source: Elastic Defend",
 45    "Data Source: System",
 46    "Data Source: Microsoft Defender for Endpoint",
 47    "Data Source: Sysmon",
 48    "Data Source: SentinelOne",
 49    "Data Source: Crowdstrike",
 50    "Resources: Investigation Guide",
 51]
 52timestamp_override = "event.ingested"
 53type = "eql"
 54
 55query = '''
 56process where host.os.type == "windows" and event.type == "start" and
 57 (process.name : "xwizard.exe" or ?process.pe.original_file_name : "xwizard.exe") and
 58 (
 59   (process.args : "RunWizard" and process.args : "{*}") or
 60   (process.executable != null and
 61     not process.executable : (
 62        "C:\\Windows\\SysWOW64\\xwizard.exe",
 63        "C:\\Windows\\System32\\xwizard.exe",
 64        "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\xwizard.exe",
 65        "\\Device\\HarddiskVolume?\\Windows\\System32\\xwizard.exe"
 66     )
 67   )
 68 )
 69'''
 70note = """## Triage and analysis
 71
 72> **Disclaimer**:
 73> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 74
 75### Investigating Execution of COM object via Xwizard
 76
 77The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities.
 78
 79### Possible investigation steps
 80
 81- Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields.
 82- Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity.
 83- Verify the process.executable path to ensure it matches the expected system paths (C:\\Windows\\SysWOW64\\xwizard.exe or C:\\Windows\\System32\\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise.
 84- Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes.
 85- Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns.
 86- Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation.
 87
 88### False positive analysis
 89
 90- Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments.
 91- System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths.
 92- Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations.
 93- Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list.
 94
 95### Response and remediation
 96
 97- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
 98- Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution.
 99- Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious.
100- Restore the system from a known good backup if unauthorized changes or persistent threats are detected.
101- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
102- Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack.
103- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected."""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1559"
110name = "Inter-Process Communication"
111reference = "https://attack.mitre.org/techniques/T1559/"
112[[rule.threat.technique.subtechnique]]
113id = "T1559.001"
114name = "Component Object Model"
115reference = "https://attack.mitre.org/techniques/T1559/001/"
116
117
118
119[rule.threat.tactic]
120id = "TA0002"
121name = "Execution"
122reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

The Windows Component Object Model (COM) facilitates communication between software components. Adversaries exploit this by using Xwizard to execute COM objects, bypassing security measures. The detection rule identifies suspicious Xwizard executions by monitoring process starts, checking for unusual arguments, and verifying executable paths, thus flagging potential misuse of COM objects for malicious activities.

  • Review the process start event details to confirm the presence of xwizard.exe execution, focusing on the process.name and process.pe.original_file_name fields.
  • Examine the process.args field to identify any unusual or suspicious arguments, particularly looking for the "RunWizard" command and any GUIDs or patterns that may indicate malicious activity.
  • Verify the process.executable path to ensure it matches the expected system paths (C:\Windows\SysWOW64\xwizard.exe or C:\Windows\System32\xwizard.exe). Investigate any deviations from these paths as potential indicators of compromise.
  • Check the parent process of xwizard.exe to understand the context of its execution and identify any potentially malicious parent processes.
  • Correlate the event with other security data sources such as Microsoft Defender for Endpoint or Sysmon logs to gather additional context and identify any related suspicious activities or patterns.
  • Investigate the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential unauthorized access or privilege escalation.
  • Legitimate software installations or updates may trigger the rule if they use Xwizard to execute COM objects. Users can create exceptions for known software update processes by verifying the executable paths and arguments.
  • System administrators might use Xwizard for legitimate configuration tasks. To handle this, identify and document regular administrative activities and exclude these from the rule by specifying the expected process arguments and executable paths.
  • Automated scripts or management tools that utilize Xwizard for system management tasks can cause false positives. Review and whitelist these scripts or tools by ensuring their execution paths and arguments are consistent with known safe operations.
  • Some security tools or monitoring solutions might use Xwizard as part of their normal operations. Confirm these activities with the tool's documentation and exclude them by adding their specific execution patterns to the exception list.
  • Isolate the affected system from the network to prevent further malicious activity and lateral movement.
  • Terminate any suspicious xwizard.exe processes identified by the detection rule to halt potential malicious execution.
  • Conduct a thorough review of the system's registry for unauthorized COM objects and remove any entries that are not recognized or are deemed malicious.
  • Restore the system from a known good backup if unauthorized changes or persistent threats are detected.
  • Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
  • Monitor the network for any signs of similar activity or related threats, ensuring that detection systems are tuned to identify variations of this attack.
  • Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.

References

Related rules

to-top