From 56bba563d0bef21b93217cf4ce791e2e99ddbe75 Mon Sep 17 00:00:00 2001
From: ghosts621 <97026636+ghosts621@users.noreply.github.com>
Date: Sun, 22 Feb 2026 13:37:45 +0200
Subject: [PATCH 1/4] Add new Proxy Execution command to dxcap.exe (Search
 Order Hijacking)

Hi team,

Thank you for this awesome project!

I am submitting a new execution technique for an existing LOLBin (`dxcap.exe`).

**Description of the new finding:**
When executing `dxcap.exe` with the `-usage` flag, it attempts to load and execute `Xperf.exe` (which is typically installed via the Windows ADK and is not present by default).

By copying `dxcap.exe` to a user-writable directory (e.g., `%TEMP%`) and placing a malicious payload named `Xperf.exe` alongside it, `dxcap.exe` will natively execute the payload via Search Order Hijacking.

**Key Points:**
* **Privileges:** Standard User (No Admin required).
* **Category:** Execute / Proxy Execution.
* **POC:** I have included a Gist link with a PowerShell POC demonstrating the execution using `calc.exe` as the hijacked payload.

I have appended the new command, detection IOCs, and my Gist link to the existing `dxcap.yml` file.

Let me know if you need any changes. Thanks!
---
 yml/OSBinaries/dxcap.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 yml/OSBinaries/dxcap.yml

diff --git a/yml/OSBinaries/dxcap.yml b/yml/OSBinaries/dxcap.yml
new file mode 100644
index 00000000..58033bb9
--- /dev/null
+++ b/yml/OSBinaries/dxcap.yml
@@ -0,0 +1,27 @@
+---
+Name: dxcap.exe
+Description: DirectX diagnostics/debugger included with Visual Studio.
+Author: Naor Evgi
+Created: 2026-02-22
+Commands:
+  - Command: copy C:\Windows\System32\dxcap.exe %TEMP%\dxcap.exe & copy calc.exe %TEMP%\Xperf.exe & %TEMP%\dxcap.exe -usage
+    Description: dxcap.exe attempts to execute Xperf.exe from the current directory or its own directory. By placing a malicious Xperf.exe alongside a copied dxcap.exe, an attacker can achieve proxy execution with standard user privileges.
+    Usecase: Proxy execution of malicious code by hijacking the Xperf.exe call.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\dxcap.exe
+  - Path: C:\Windows\SysWOW64\dxcap.exe
+Code_Sample:
+  - Code: https://gist.github.com/ghosts621/1d0e0f43f7288c826035d5d011b6ca51
+Detection:
+  - IOC: dxcap.exe executing from outside of System32/SysWOW64
+  - IOC: dxcap.exe spawning Xperf.exe
+  - IOC: Xperf.exe executing from unusual directories (if not running from ADK path)
+Resources:
+  - Link: https://github.com/ghosts621
+Acknowledgement:
+  - Person: Naor Evgi
+    Handle: '@ghosts621'

From 9fb7927a118b46ba0d63fc856c16e6705449681b Mon Sep 17 00:00:00 2001
From: ghosts621 <97026636+ghosts621@users.noreply.github.com>
Date: Sun, 22 Feb 2026 13:51:25 +0200
Subject: [PATCH 2/4] Add new Proxy Execution command to cmstp.exe (DLL
 Sideloading)

Added a new execution technique for cmstp.exe using registry modification.
By setting the 'CmstpExtensionDll' value under 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe', cmstp.exe will pass this data directly to LoadLibrary when executed with the '/nf' flag.
This enables proxy execution / DLL sideloading of an arbitrary DLL.
---
 yml/OSBinaries/Cmstp.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml
index f2876a29..05465b48 100644
--- a/yml/OSBinaries/Cmstp.yml
+++ b/yml/OSBinaries/Cmstp.yml
@@ -23,6 +23,13 @@ Commands:
     Tags:
       - Execute: INF
       - Execute: Remote
+  - Command: REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" /v CmstpExtensionDll /t REG_SZ /d "{PATH_ABSOLUTE:.dll}" /f & cmstp.exe /nf
+    Description: cmstp.exe reads the CmstpExtensionDll registry value and passes its data directly to LoadLibrary. By modifying this registry key, an attacker can sideload an arbitrary DLL.
+    Usecase: Proxy execution of a malicious DLL via registry modification.
+    Category: Execute
+    Privileges: Administrator
+    MitreID: T1218.003
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Windows\System32\cmstp.exe
   - Path: C:\Windows\SysWOW64\cmstp.exe
@@ -35,6 +42,7 @@ Detection:
   - IOC: Execution of cmstp.exe without a VPN use case is suspicious
   - IOC: DotNet CLR libraries loaded into cmstp.exe
   - IOC: DotNet CLR Usage Log - cmstp.exe.log
+  - IOC: Registry modification to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe\CmstpExtensionDll
 Resources:
   - Link: https://twitter.com/NickTyrer/status/958450014111633408
   - Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
@@ -42,8 +50,11 @@ Resources:
   - Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
   - Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
   - Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
+  - Link: https://gist.github.com/ghosts621/ea8ad5b8a0904dd40b33f01f0e8285dc
 Acknowledgement:
   - Person: Oddvar Moe
     Handle: '@oddvarmoe'
   - Person: Nick Tyrer
     Handle: '@NickTyrer'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'

From 44fed218497a3ad8aa5cae338008abbb83484cec Mon Sep 17 00:00:00 2001
From: ghosts621 <97026636+ghosts621@users.noreply.github.com>
Date: Sun, 22 Feb 2026 15:03:08 +0200
Subject: [PATCH 3/4] Delete yml/OSBinaries/dxcap.yml

---
 yml/OSBinaries/dxcap.yml | 27 ---------------------------
 1 file changed, 27 deletions(-)
 delete mode 100644 yml/OSBinaries/dxcap.yml

diff --git a/yml/OSBinaries/dxcap.yml b/yml/OSBinaries/dxcap.yml
deleted file mode 100644
index 58033bb9..00000000
--- a/yml/OSBinaries/dxcap.yml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-Name: dxcap.exe
-Description: DirectX diagnostics/debugger included with Visual Studio.
-Author: Naor Evgi
-Created: 2026-02-22
-Commands:
-  - Command: copy C:\Windows\System32\dxcap.exe %TEMP%\dxcap.exe & copy calc.exe %TEMP%\Xperf.exe & %TEMP%\dxcap.exe -usage
-    Description: dxcap.exe attempts to execute Xperf.exe from the current directory or its own directory. By placing a malicious Xperf.exe alongside a copied dxcap.exe, an attacker can achieve proxy execution with standard user privileges.
-    Usecase: Proxy execution of malicious code by hijacking the Xperf.exe call.
-    Category: Execute
-    Privileges: User
-    MitreID: T1127
-    OperatingSystem: Windows 10, Windows 11
-Full_Path:
-  - Path: C:\Windows\System32\dxcap.exe
-  - Path: C:\Windows\SysWOW64\dxcap.exe
-Code_Sample:
-  - Code: https://gist.github.com/ghosts621/1d0e0f43f7288c826035d5d011b6ca51
-Detection:
-  - IOC: dxcap.exe executing from outside of System32/SysWOW64
-  - IOC: dxcap.exe spawning Xperf.exe
-  - IOC: Xperf.exe executing from unusual directories (if not running from ADK path)
-Resources:
-  - Link: https://github.com/ghosts621
-Acknowledgement:
-  - Person: Naor Evgi
-    Handle: '@ghosts621'

From 9680f7b29ba626c29f411842c7f8f7959a0431dc Mon Sep 17 00:00:00 2001
From: ghosts621 <97026636+ghosts621@users.noreply.github.com>
Date: Sun, 22 Feb 2026 15:05:46 +0200
Subject: [PATCH 4/4] Fix duplicate file error: Merge new dxcap command into
 existing Dxcap.yml

Resolved the duplicate filename error from the GitHub Actions check.
Merged the new proxy execution command (Search Order Hijacking), IOCs, and acknowledgements into the existing yml/OtherMSBinaries/Dxcap.yml file.
---
 yml/OtherMSBinaries/Dxcap.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/yml/OtherMSBinaries/Dxcap.yml b/yml/OtherMSBinaries/Dxcap.yml
index a9b6b2d1..9b3b07a2 100644
--- a/yml/OtherMSBinaries/Dxcap.yml
+++ b/yml/OtherMSBinaries/Dxcap.yml
@@ -13,15 +13,32 @@ Commands:
     OperatingSystem: Windows
     Tags:
       - Execute: EXE
+  - Command: copy C:\Windows\System32\dxcap.exe %TEMP%\dxcap.exe & copy calc.exe %TEMP%\Xperf.exe & %TEMP%\dxcap.exe -usage
+    Description: dxcap.exe attempts to execute Xperf.exe from the current directory or its own directory. By placing a malicious Xperf.exe alongside a copied dxcap.exe, an attacker can achieve proxy execution with standard user privileges.
+    Usecase: Proxy execution of malicious code by hijacking the Xperf.exe call.
+    Category: Execute
+    Privileges: User
+    MitreID: T1127
+    OperatingSystem: Windows 10, Windows 11
+    Tags:
+      - Execute: EXE
 Full_Path:
   - Path: C:\Windows\System32\dxcap.exe
   - Path: C:\Windows\SysWOW64\dxcap.exe
+Code_Sample:
+  - Code: https://gist.github.com/ghosts621/1d0e0f43f7288c826035d5d011b6ca51
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml
+  - IOC: dxcap.exe executing from outside of System32/SysWOW64
+  - IOC: dxcap.exe spawning Xperf.exe
+  - IOC: Xperf.exe executing from unusual directories (if not running from ADK path)
 Resources:
   - Link: https://twitter.com/harr0ey/status/992008180904419328
+  - Link: https://github.com/ghosts621
 Acknowledgement:
   - Person: Matt harr0ey
     Handle: '@harr0ey'
   - Person: Vikas Singh
     Handle: '@vikas891'
+  - Person: Naor Evgi
+    Handle: '@ghosts621'