ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Sigma rule (View on GitHub)
1title: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
2id: 6345b048-8441-43a7-9bed-541133633d7a
3status: test
4description: |
5 Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
6 This binary can be abused for DLL injection, arbitrary command and process execution.
7references:
8 - https://twitter.com/gN3mes1s/status/1222088214581825540
9 - https://twitter.com/gN3mes1s/status/1222095963789111296
10 - https://twitter.com/gN3mes1s/status/1222095371175911424
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2020/01/28
13modified: 2024/04/22
14tags:
15 - attack.defense_evasion
16 - attack.t1055.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\dctask64.exe'
23 - Hashes|contains:
24 - '6834B1B94E49701D77CCB3C0895E1AFD' # Imphash
25 - '1BB6F93B129F398C7C4A76BB97450BBA' # Imphash
26 - 'FAA2AC19875FADE461C8D89DCF2710A3' # Imphash
27 - 'F1039CED4B91572AB7847D26032E6BBF' # Imphash
28 selection_cli:
29 CommandLine|contains:
30 - ' executecmd64 '
31 - ' invokeexe '
32 - ' injectDll '
33 condition: all of selection_*
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- Renamed ZOHO Dctask64 Execution
- Renamed Mavinject.EXE Execution
- Mavinject Inject DLL Into Running Process
- HackTool - Potential CobaltStrike Process Injection
- Potential DLL Injection Or Execution Using Tracker.exe