.. /Dxcap.exe

Star

Paths:

• C:\Windows\System32\dxcap.exe
• C:\Windows\SysWOW64\dxcap.exe

Resources:

• https://twitter.com/harr0ey/status/992008180904419328

Acknowledgements:

• Matt harr0ey (@harr0ey)
• Vikas Singh (@vikas891)

Detections:

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml

Execute

1. Launch specified executable as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add '-file c:\path\to\writable\location.ext' as first argument.

   Dxcap.exe -c {PATH_ABSOLUTE:.exe}

   Use case

   Local execution of a process as a subprocess of dxcap.exe

   Privileges required

   User

   Operating systems

   Windows

   ATT&CK® technique

   T1127

   Tags

   Execute: EXE