windows installed on non-c drive

t1574
t1574.002
windows
sigma

Techniques

t1574
t1574.002

Sample rules

Xwizard.EXE Execution From Non-Default Location

source: sigma
technicques:
- t1574
- t1574.002

Description

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of “xwizards.dll”.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_location:
  Image|startswith:
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
  - C:\Windows\WinSxS\
selection:
- Image|endswith: \xwizard.exe
- OriginalFileName: xwizard.exe