Renamed ZOHO Dctask64 Execution
Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
Sigma rule (View on GitHub)
1title: Renamed ZOHO Dctask64 Execution
2id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
3status: test
4description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
5references:
6 - https://twitter.com/gN3mes1s/status/1222088214581825540
7 - https://twitter.com/gN3mes1s/status/1222095963789111296
8 - https://twitter.com/gN3mes1s/status/1222095371175911424
9author: Florian Roth (Nextron Systems)
10date: 2020/01/28
11modified: 2023/02/14
12tags:
13 - attack.defense_evasion
14 - attack.t1036
15 - attack.t1055.001
16 - attack.t1202
17 - attack.t1218
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 Hashes|contains: '6834B1B94E49701D77CCB3C0895E1AFD'
24 filter:
25 Image|endswith: '\dctask64.exe'
26 condition: selection and not filter
27fields:
28 - CommandLine
29 - ParentCommandLine
30 - ParentImage
31falsepositives:
32 - Unknown yet
33level: high
References
Related rules
- Execution via WorkFolders.exe
- Renamed FTP.EXE Execution
- Renamed MegaSync Execution
- Microsoft Workflow Compiler Execution
- Application Whitelisting Bypass via Dxcap.exe