Application Whitelisting Bypass via Dxcap.exe

 1title: Application Whitelisting Bypass via Dxcap.exe
 2id: 60f16a96-db70-42eb-8f76-16763e333590
 3status: test
 4description: Detects execution of of Dxcap.exe
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
 7    - https://twitter.com/harr0ey/status/992008180904419328
 8author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 9date: 2019/10/26
10modified: 2022/06/09
11tags:
12    - attack.defense_evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\DXCap.exe'
20        - OriginalFileName: 'DXCap.exe'
21    selection_cli:
22        CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
23    condition: all of selection*
24falsepositives:
25    - Legitimate execution of dxcap.exe by legitimate user
26level: medium

References

• Dxcap | LOLBAS

  Launch notepad.exe as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add '-file c:\path\to\writab...

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• DNS Query From Process with Double File Extension
• Download by Process with Double File Extension
• File Creation by Process with Double File Extension
• Network Connection From Process with Double File Extension
• Suspicious Process Injection to RegAsm