Application Whitelisting Bypass via Dxcap.exe
Detects execution of of Dxcap.exe
Sigma rule (View on GitHub)
1title: Application Whitelisting Bypass via Dxcap.exe
2id: 60f16a96-db70-42eb-8f76-16763e333590
3status: test
4description: Detects execution of of Dxcap.exe
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
7 - https://twitter.com/harr0ey/status/992008180904419328
8author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
9date: 2019/10/26
10modified: 2022/06/09
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\DXCap.exe'
20 - OriginalFileName: 'DXCap.exe'
21 selection_cli:
22 CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
23 condition: all of selection*
24falsepositives:
25 - Legitimate execution of dxcap.exe by legitimate user
26level: medium
References
Related rules
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension
- File Creation by Process with Double File Extension
- Network Connection From Process with Double File Extension
- Suspicious Process Injection to RegAsm