Dxcap.exe

DirectX diagnostics/debugger included with Visual Studio.

Paths

• C:\Windows\System32\dxcap.exe
• C:\Windows\SysWOW64\dxcap.exe

Commands

Execute

Launch specified executable as a subprocess of dxcap.exe. Note that you should have write permissions in the current working directory for the command to succeed; alternatively, add '-file c:\path\to\writable\location.ext' as first argument.

Use case: Local execution of a process as a subprocess of dxcap.exe

Privileges: User

Dxcap.exe -c {PATH_ABSOLUTE:.exe}

Execute

Once executed, `dxcap.exe` will execute `xperf.exe` in the same folder. Thus, if `dxcap.exe` is copied to a folder and an arbitrary executable is renamed to `xperf.exe`, `dxcap.exe` will spawn it.

Use case: Execute an arbitrary executable via trusted system executable.

Privileges: User

dxcap.exe -usage

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml
• IOC: dxcap.exe executing from outside of System32/SysWOW64
• IOC: dxcap.exe spawning Xperf.exe
• IOC: Xperf.exe executing from unusual directories (if not running from ADK path)

Resources

• https://twitter.com/harr0ey/status/992008180904419328