Renamed ZOHO Dctask64 Execution

calendar Feb 13, 2023 · attack.defense_evasion attack.t1036 attack.t1055.001 attack.t1202 attack.t1218  ·
Share on: linkedin copy

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

Sigma rule (View on GitHub)

 1title: Renamed ZOHO Dctask64 Execution
 2id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
 3status: test
 4description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
 5references:
 6    - https://twitter.com/gN3mes1s/status/1222088214581825540
 7    - https://twitter.com/gN3mes1s/status/1222095963789111296
 8    - https://twitter.com/gN3mes1s/status/1222095371175911424
 9author: Florian Roth (Nextron Systems)
10date: 2020/01/28
11modified: 2023/02/14
12tags:
13    - attack.defense_evasion
14    - attack.t1036
15    - attack.t1055.001
16    - attack.t1202
17    - attack.t1218
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Hashes|contains: '6834B1B94E49701D77CCB3C0895E1AFD'
24    filter:
25        Image|endswith: '\dctask64.exe'
26    condition: selection and not filter
27fields:
28    - CommandLine
29    - ParentCommandLine
30    - ParentImage
31falsepositives:
32    - Unknown yet
33level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top