Techniques
Sample rules
New Capture Session Launched Via DXCap.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the execution of “DXCap.EXE” with the “-c” flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains: ' -c '
selection_img:
- Image|endswith: \DXCap.exe
- OriginalFileName: DXCap.exe