New Capture Session Launched Via DXCap.EXE (60f16a96-db70-42eb-8f76-16763e333590)
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | New Capture Session Launched Via DXCap.EXE (60f16a96-db70-42eb-8f76-16763e333590) | Sigma-Rules | 1 |