{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/com-object/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","com-object","xwizard","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Component Object Model (COM) facilitates communication between software components. Attackers can leverage Xwizard, a legitimate Windows system binary, to execute COM objects and bypass security measures. This technique allows adversaries to proxy the execution of malicious code through a trusted system utility, making detection more challenging. This activity has been observed since at least 2017, with potential links to PlugX malware variants. The scope of targeting is broad, as any Windows system with vulnerable COM configurations could be susceptible. Defenders should monitor Xwizard execution for suspicious arguments and deviations from expected file paths to identify potential misuse of COM objects.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access via an unconfirmed method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Windows Registry to create a malicious COM object.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes \u003ccode\u003exwizard.exe\u003c/code\u003e with the \u003ccode\u003eRunWizard\u003c/code\u003e argument and a GUID referencing the malicious COM object.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exwizard.exe\u003c/code\u003e reads the COM object\u0026rsquo;s configuration from the registry.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exwizard.exe\u003c/code\u003e executes the code associated with the malicious COM object.\u003c/li\u003e\n\u003cli\u003eThe malicious COM object performs unauthorized actions, such as downloading additional payloads or establishing command and control.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by ensuring the malicious COM object is executed on system startup or user login.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially leading to data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on compromised systems. This can lead to data theft, malware installation, or complete system compromise. The targeted sectors are broad, as any Windows system with vulnerable COM configurations is susceptible. While specific victim counts are unavailable, the widespread use of Windows makes this a potentially significant threat. If the attack succeeds, attackers can gain persistent access, escalate privileges, and move laterally within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution events for instances of \u003ccode\u003exwizard.exe\u003c/code\u003e with suspicious arguments like \u003ccode\u003eRunWizard\u003c/code\u003e and GUIDs using the \u0026ldquo;Execution of COM object via Xwizard\u0026rdquo; rule as a baseline.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided to detect anomalous Xwizard executions and COM object abuse.\u003c/li\u003e\n\u003cli\u003eAudit and monitor registry modifications, specifically looking for COM object registrations using registry_set rules.\u003c/li\u003e\n\u003cli\u003eEnsure that endpoint detection and response (EDR) solutions are configured to detect and block suspicious process executions originating from \u003ccode\u003exwizard.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and registry event logging (Event ID 12, 13, 14) for enhanced visibility, as mentioned in the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-xwizard-com-execution/","summary":"Adversaries may abuse Xwizard, a Windows system binary, to execute Component Object Model (COM) objects created in the registry to evade defensive countermeasures by proxying execution through a legitimate system tool.","title":"Xwizard COM Object Execution for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-xwizard-com-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Com-Object","version":"https://jsonfeed.org/version/1.1"}