Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
Sigma rule (View on GitHub)
1title: Xwizard.EXE Execution From Non-Default Location
2id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
3status: test
4description: |
5 Detects the execution of Xwizard tool from a non-default directory.
6 When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
9 - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
10author: Christian Burkard (Nextron Systems)
11date: 2021-09-20
12modified: 2024-08-15
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.defense-evasion
17 - attack.t1574.001
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 - Image|endswith: '\xwizard.exe'
24 - OriginalFileName: 'xwizard.exe'
25 filter_main_legit_location:
26 Image|startswith:
27 - 'C:\Windows\System32\'
28 - 'C:\Windows\SysWOW64\'
29 - 'C:\Windows\WinSxS\'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Windows installed on non-C drive
33level: high
References
-
Xwizard.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve. Why? When you run it with a ‘/h’ comma...
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL