COM Object Execution via Xwizard.EXE

calendar Apr 26, 2024 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Sigma rule (View on GitHub)

 1title: COM Object Execution via Xwizard.EXE
 2id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
 3status: test
 4description: |
 5    Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
 6    This utility can be abused in order to run custom COM object created in the registry.    
 7references:
 8    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
 9    - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html
10    - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
11author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
12date: 2020/10/07
13modified: 2024/04/22
14tags:
15    - attack.defense_evasion
16    - attack.t1218
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\xwizard.exe'
23        - OriginalFileName: 'xwizard.exe'
24    selection_cli:
25        CommandLine: 'RunWizard'
26        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
27    condition: all of selection_* or (selection_cli and not selection_img)
28falsepositives:
29    - Unknown
30level: medium

References

Related rules

to-top