ZOHO Dctask64 Process Injection
Detects suspicious process injection using ZOHO's dctask64.exe
Sigma rule (View on GitHub)
1title: ZOHO Dctask64 Process Injection
2id: 6345b048-8441-43a7-9bed-541133633d7a
3status: test
4description: Detects suspicious process injection using ZOHO's dctask64.exe
5references:
6 - https://twitter.com/gN3mes1s/status/1222088214581825540
7 - https://twitter.com/gN3mes1s/status/1222095963789111296
8 - https://twitter.com/gN3mes1s/status/1222095371175911424
9author: Florian Roth (Nextron Systems)
10date: 2020/01/28
11modified: 2021/11/27
12tags:
13 - attack.defense_evasion
14 - attack.t1055.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\dctask64.exe'
21 filter:
22 CommandLine|contains: 'DesktopCentral_Agent\agent'
23 condition: selection and not filter
24fields:
25 - CommandLine
26 - ParentCommandLine
27 - ParentImage
28falsepositives:
29 - Unknown
30level: high