This detection rule identifies the execution of the DXCap.EXE process with the '-c' command line argument in a Windows environment. The use of this flag enables execution of arbitrary binaries or Windows packages through DXCap.EXE, which poses a security risk as it may allow attackers to bypass application whitelisting mechanisms. By monitoring for this specific command line syntax, the rule aims to pinpoint potentially malicious activity related to defense evasion tactics. The rule evaluates processes created under the category of process creation, focusing on the image name and command line arguments. Given that legitimate users may also use DXCap.EXE in their workflows, the rule accounts for such false positives when interpreting the results.