Xwizard DLL Sideloading
Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll
Sigma rule (View on GitHub)
1title: Xwizard DLL Sideloading
2id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
3status: test
4description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll
5references:
6 - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
7 - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
8author: Christian Burkard (Nextron Systems)
9date: 2021/09/20
10modified: 2022/10/09
11tags:
12 - attack.defense_evasion
13 - attack.t1574.002
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\xwizard.exe'
20 filter:
21 Image|startswith: 'C:\Windows\System32\'
22 condition: selection and not filter
23falsepositives:
24 - Windows installed on non-C drive
25level: high
References
Related rules
- UAC Bypass With Fake DLL
- Application Whitelisting Bypass via Dxcap.exe
- Base64 Encoded PowerShell Command Detected
- Flash Player Update from Suspicious Location
- Hiding User Account Via SpecialAccounts Registry Key