Xwizard DLL Sideloading

Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll

Sigma rule (View on GitHub)

 1title: Xwizard DLL Sideloading
 2id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
 3status: test
 4description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
 7    - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
 8author: Christian Burkard (Nextron Systems)
 9date: 2021/09/20
10modified: 2022/10/09
11tags:
12    - attack.defense_evasion
13    - attack.t1574.002
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\xwizard.exe'
20    filter:
21        Image|startswith: 'C:\Windows\System32\'
22    condition: selection and not filter
23falsepositives:
24    - Windows installed on non-C drive
25level: high

References

Related rules

to-top