Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

COM Object Execution via Xwizard.EXE

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ensar Şamil, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 07Updated Thu Aug 1553d4bb30-3f36-4e8a-b078-69d36c4a79ffwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        CommandLine: 'RunWizard'
        CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
lolbas-project.github.io
2
Resolving title…
elastic.co
3
Resolving title…
hexacorn.com
MITRE ATT&CK
Rule Metadata
Rule ID
53d4bb30-3f36-4e8a-b078-69d36c4a79ff
Status
test
Level
medium
Type
Detection
Created
Wed Oct 07
Modified
Thu Aug 15
Author
Ensar Şamil, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml
Raw Tags
attack.defense-evasionattack.t1218
View on GitHub