New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
Sigma rule (View on GitHub)
1title: New Capture Session Launched Via DXCap.EXE
2id: 60f16a96-db70-42eb-8f76-16763e333590
3status: test
4description: |
5 Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
6references:
7 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
8 - https://twitter.com/harr0ey/status/992008180904419328
9author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
10date: 2019-10-26
11modified: 2022-06-09
12tags:
13 - attack.defense-evasion
14 - attack.t1218
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\DXCap.exe'
21 - OriginalFileName: 'DXCap.exe'
22 selection_cli:
23 CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
24 condition: all of selection*
25falsepositives:
26 - Legitimate execution of dxcap.exe by legitimate user
27level: medium
References
-
Dxcap.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- COM Object Execution via Xwizard.EXE
- Potential DLL Sideloading Using Coregen.exe
- Program Executed Using Proxy/Local Command Via SSH.EXE
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Diskshadow Script Mode - Execution From Potential Suspicious Location