rules/windows/process_creation/win_class_exec_xwizard.yml

title: Custom Class Execution via Xwizard
id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff
status: test
description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
references:
  - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
date: 2020/10/07
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\xwizard.exe'
    CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'
  condition: selection
falsepositives:
  - Unknown
level: medium
tags:
  - attack.defense_evasion
  - attack.t1218
[OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00			`title: Custom Class Execution via Xwizard`
			`id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
[OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00			`description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'`
[OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/`
[OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00			`date: 2020/10/07`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
[OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
[OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`Image\|endswith: '\xwizard.exe'`
			`CommandLine\|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}'`
			`condition: selection`
[OSCD] win_class_exec_xwizard.yml added 2020-10-07 22:49:12 +03:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unknown`
Update win_class_exec_xwizard.yml 2020-10-09 09:38:14 +03:00			`level: medium`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1218`