ZOHO Dctask64 Process Injection

 1title: ZOHO Dctask64 Process Injection
 2id: 6345b048-8441-43a7-9bed-541133633d7a
 3status: test
 4description: Detects suspicious process injection using ZOHO's dctask64.exe
 5references:
 6    - https://twitter.com/gN3mes1s/status/1222088214581825540
 7    - https://twitter.com/gN3mes1s/status/1222095963789111296
 8    - https://twitter.com/gN3mes1s/status/1222095371175911424
 9author: Florian Roth (Nextron Systems)
10date: 2020/01/28
11modified: 2021/11/27
12tags:
13    - attack.defense_evasion
14    - attack.t1055.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\dctask64.exe'
21    filter:
22        CommandLine|contains: 'DesktopCentral_Agent\agent'
23    condition: selection and not filter
24fields:
25    - CommandLine
26    - ParentCommandLine
27    - ParentImage
28falsepositives:
29    - Unknown
30level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Renamed ZOHO Dctask64 Execution
• Potential DLL Injection Or Execution Using Tracker.exe
• AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
• DLL Execution Via Register-cimprovider.exe
• Detection of PowerShell Execution via Sqlps.exe