COM Object Execution via Xwizard.EXE

calendar Aug 29, 2024 · attack.defense-evasion attack.t1218  ·
Share on: linkedin copy

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Sigma rule (View on GitHub)

 1title: COM Object Execution via Xwizard.EXE
 2id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
 3status: test
 4description: |
 5    Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
 6    This utility can be abused in order to run custom COM object created in the registry.    
 7references:
 8    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
 9    - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
10    - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
11author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
12date: 2020-10-07
13modified: 2024-08-15
14tags:
15    - attack.defense-evasion
16    - attack.t1218
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine: 'RunWizard'
23        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top