From aaf63d2238137a30eeef6fc7199def6f66da4e96 Mon Sep 17 00:00:00 2001
From: root <sechost@yandex.ru>
Date: Sat, 26 Oct 2019 20:02:25 +0200
Subject: [PATCH] add win_susp_dxcap.yml

---
 .../process_creation/win_susp_dxcap.yml       | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_dxcap.yml

diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml
new file mode 100644
index 000000000..3fb6272ad
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_dxcap.yml
@@ -0,0 +1,22 @@
+title: Bypassing Application Whitelisting by using dxcap.exe
+status: experimental
+description:  Local execution of a process as a subprocess of Dxcap.exe
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml
+    - https://twitter.com/harr0ey/status/992008180904419328
+author: Beyu Denis
+date: 2019/10/26
+tags:
+    - attack.persistence
+level: medium
+logsource:
+    category: process_creation
+    product: windows
+detection:
+  selection:
+    Image: '*\dxcap.exe'
+    CommandLine: '* -c *'
+  condition: selection
+falsepositives:
+    - Unknown
+