SigmaHQ/rules/windows/process_creation/win_susp_dxcap.yml

title: Application Whitelisting Bypass via Dxcap.exe
id: 60f16a96-db70-42eb-8f76-16763e333590
status: experimental
description: Detects execution of of Dxcap.exe
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
    - https://twitter.com/harr0ey/status/992008180904419328
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
tags:
    - attack.defense_evasion
    - attack.t1218
    - attack.execution # an old one
level: medium
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dxcap.exe'
        CommandLine|contains|all:
            - '-c'
            - '.exe'
    condition: selection
falsepositives:
    - Legitimate execution of dxcap.exe by legitimate user
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: Application Whitelisting Bypass via Dxcap.exe`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 60f16a96-db70-42eb-8f76-16763e333590`
add win_susp_dxcap.yml 2019-10-26 18:02:25 +00:00			`status: experimental`
Update win_susp_dxcap.yml 2019-11-04 15:38:37 +00:00			`description: Detects execution of of Dxcap.exe`
add win_susp_dxcap.yml 2019-10-26 18:02:25 +00:00			`references:`
			`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml`
			`- https://twitter.com/harr0ey/status/992008180904419328`
Update win_susp_dxcap.yml 2019-11-04 15:38:37 +00:00			`author: Beyu Denis, oscd.community`
add win_susp_dxcap.yml 2019-10-26 18:02:25 +00:00			`date: 2019/10/26`
Update win_susp_dxcap.yml 2019-11-04 15:38:37 +00:00			`modified: 2019/11/04`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1218`
att&ck tags review: windows/process_creation part 7 2020-08-30 16:17:38 +00:00			`- attack.execution # an old one`
add win_susp_dxcap.yml 2019-10-26 18:02:25 +00:00			`level: medium`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Update win_susp_dxcap.yml 2019-11-04 15:43:42 +00:00			`selection:`
add modifiers 2019-11-07 22:34:30 +00:00			`Image\|endswith: '\dxcap.exe'`
Update win_susp_dxcap.yml 2019-11-04 15:43:42 +00:00			`CommandLine\|contains\|all:`
			`- '-c'`
			`- '.exe'`
			`condition: selection`
add win_susp_dxcap.yml 2019-10-26 18:02:25 +00:00			`falsepositives:`
Update win_susp_dxcap.yml 2019-11-04 15:38:37 +00:00			`- Legitimate execution of dxcap.exe by legitimate user`