← Back to Explore
sigmamediumHunting
New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
Detection Query
selection_img:
- Image|endswith: \DXCap.exe
- OriginalFileName: DXCap.exe
selection_cli:
CommandLine|contains: " -c "
condition: all of selection*
Author
Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Created
2019-10-26
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: New Capture Session Launched Via DXCap.EXE
id: 60f16a96-db70-42eb-8f76-16763e333590
status: test
description: |
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
- https://twitter.com/harr0ey/status/992008180904419328
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2022-06-09
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\DXCap.exe'
- OriginalFileName: 'DXCap.exe'
selection_cli:
CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
condition: all of selection*
falsepositives:
- Legitimate execution of dxcap.exe by legitimate user
level: medium