Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
Sigma rule (View on GitHub)
1title: Xwizard.EXE Execution From Non-Default Location
2id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
3status: test
4description: |
5 Detects the execution of Xwizard tool from a non-default directory.
6 When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
9 - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
10author: Christian Burkard (Nextron Systems)
11date: 2021-09-20
12modified: 2024-08-15
13tags:
14 - attack.defense-evasion
15 - attack.t1574.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 - Image|endswith: '\xwizard.exe'
22 - OriginalFileName: 'xwizard.exe'
23 filter_main_legit_location:
24 Image|startswith:
25 - 'C:\Windows\System32\'
26 - 'C:\Windows\SysWOW64\'
27 - 'C:\Windows\WinSxS\'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Windows installed on non-C drive
31level: high
References
-
Xwizard.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve. Why? When you run it with a ‘/h’ comma...
Read More
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL