Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Sigma rule (View on GitHub)
1title: Renamed ZOHO Dctask64 Execution
2id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
3status: test
4description: |
5 Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
6 This binary can be abused for DLL injection, arbitrary command and process execution.
7references:
8 - https://twitter.com/gN3mes1s/status/1222088214581825540
9 - https://twitter.com/gN3mes1s/status/1222095963789111296
10 - https://twitter.com/gN3mes1s/status/1222095371175911424
11author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
12date: 2020-01-28
13modified: 2025-01-22
14tags:
15 - attack.defense-evasion
16 - attack.t1036
17 - attack.t1055.001
18 - attack.t1202
19 - attack.t1218
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 Hashes|contains:
26 - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
27 - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
28 - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
29 - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
30 filter_main_legit_name:
31 Image|endswith: '\dctask64.exe'
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- Potentially Suspicious Child Process Of VsCode
- Sdiagnhost Calling Suspicious Child Process
- Findstr Launching .lnk File
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Impersonating Sysinternals Tools