Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
Sigma rule (View on GitHub)
1title: Xwizard.EXE Execution From Non-Default Location
2id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
3status: test
4description: |
5 Detects the execution of Xwizard tool from a non-default directory.
6 When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
7references:
8 - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
9 - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
10author: Christian Burkard (Nextron Systems)
11date: 2021/09/20
12modified: 2024/04/22
13tags:
14 - attack.defense_evasion
15 - attack.t1574.002
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 - Image|endswith: '\xwizard.exe'
22 - OriginalFileName: 'xwizard.exe'
23 filter_main_legit_location:
24 Image|startswith:
25 - 'C:\Windows\System32\'
26 - 'C:\Windows\SysWOW64\'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Windows installed on non-C drive
30level: high
References
-
Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...
Read More -
Xwizard is an ‘Extensible wizard host process’. While I am not 100% sure what it is doing I know for certain that – whatever it is – PlugX guys would approve. Why? When you run it with a ‘/h’ comma...
Read More
Related rules
- Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
- Potential Chrome Frame Helper DLL Sideloading
- Potential Goopdate.DLL Sideloading
- Potential RoboForm.DLL Sideloading
- Potential SmadHook.DLL Sideloading